dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Modification : mk_{dir,reg} -> install .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule_apt_get_install () { # SYNTAX: $package
41 case $(dpkg -s "$1" | grep '^Status: ') in
42 ("Status: install ok installed");;
43 (*)
44 test ! -x /usr/bin/etckeeper ||
45 assert 'sudo etckeeper unclean'
46 sudo apt-get "$@";;
47 esac
48 }
49
50 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
51 export LANG=C
52 export LC_CTYPE=C
53 . /etc/profile
54 }
55
56 rule_apt_configure () {
57 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list <<-EOF
58 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
59 EOF
60 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
61 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
62 EOF
63 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/preferences <<-EOF
64 Package: *
65 Pin: release a=$vm_lsb_name
66 Pin-Priority: 170
67
68 Package: *
69 Pin: release a=$vm_lsb_name-backports
70 Pin-Priority: 200
71 EOF
72 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
73 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
74 EOF
75 }
76 rule_apticron_configure () {
77 rule apt_get_install apticron
78 sudo install -m 644 -u root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
79 EMAIL="admin@$vm_domainname"
80 # DIFF_ONLY="1"
81 # LISTCHANGES_PROFILE="apticron"
82 # ALL_FQDNS="1"
83 # SYSTEM="foobar.example.com"
84 # IPADDRESSNUM="1"
85 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
86 # NOTIFY_HOLDS="0"
87 # NOTIFY_NEW="0"
88 # NOTIFY_NO_UPDATES="0"
89 # CUSTOM_SUBJECT=""
90 # CUSTOM_NO_UPDATES_SUBJECT=""
91 # CUSTOM_FROM="root@$vm_fqdn"
92 EOF
93 }
94 rule_boot_configure () {
95 warn "attention à n'installer GRUB sur AUCUN disque proposé !"
96 rule apt_get_install grub-pc
97 sudo install -d -m 644 -u root -g root /boot/grub
98 rule apt_get_install linux-image-$vm_arch
99 sudo install -m 644 -u root -g root /dev/stdin /etc/default/grub <<-EOF
100 GRUB_DEFAULT=0
101 GRUB_TIMEOUT=5
102 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
103 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
104 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
105 GRUB_DISABLE_RECOVERY="true"
106 #GRUB_PRELOAD_MODULES="lvm"
107 EOF
108 sudo install -m 644 -u root -g root /dev/stdin /boot/grub/device.map <<-EOF
109 (hd0) /dev/xvda
110 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
111 EOF
112 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
113 rule initramfs_configure
114 }
115 rule_etckeeper_configure () {
116 sudo install -m 644 -u root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
117 VCS=git
118 GIT_COMMIT_OPTIONS=""
119 AVOID_DAILY_AUTOCOMMITS=1
120 #AVOID_SPECIAL_FILE_WARNING=1
121 AVOID_COMMIT_BEFORE_INSTALL=1
122 HIGHLEVEL_PACKAGE_MANAGER=apt
123 LOWLEVEL_PACKAGE_MANAGER=dpkg
124 EOF
125 rule apt_get_install etckeeper
126 }
127 rule_filesystem_configure () {
128 sudo install -m 644 -u root -g root /dev/stdin /etc/fstab <<-EOF
129 # <file system> <mount point> <type> <options> <dump> <pass>
130 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
131 proc /proc proc defaults 0 0
132 sysfs /sys sysfs defaults 0 0
133 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
134 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
135 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
137 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
138 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
139 EOF
140 sudo install -m 644 -u root -g root /dev/stdin /etc/crypttab <<-EOF
141 # <target name> <source device> <key file> <options>
142 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
143 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
146 EOF
147 sudo install -m 644 -u root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
148 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
149 vm.vfs_cache_pressure=50
150 EOF
151 }
152 rule_initramfs_configure () {
153 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
154 MODULES=most
155 BUSYBOX=y
156 KEYMAP=y
157 COMPRESS=gzip
158 DEVICE=eth0
159 EOF
160 sudo install -m 644 -u root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
161 alias eth0 xennet
162 alias scsi_hostadapter xenblk
163 EOF
164 sudo install -m 644 -u root -g root /dev/stdin /etc/modules <<-EOF
165 sha1_generic
166 sha256_generic
167 sha512_generic
168 aes-x86_64
169 xts
170 # NOTE: pour Xen en mode HVM :
171 #modprobe xen-platform-pci
172 EOF
173 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
174 EOF
175 sudo sed -e '/^configure_networking /s/ &$//' \
176 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
177 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
178 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
179 ( while IFS= read -r line
180 do case $line in (*" RSA") return 0; break;; esac
181 done; return 1 ) ||
182 {
183 sudo rm -f \
184 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
185 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
186 sudo dropbearkey -t rsa -s 4096 -f \
187 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
188 }
189 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
190 sudo install -d -m 640 -u root -g root \
191 /etc/initramfs-tools/root \
192 /etc/initramfs-tools/root/.ssh
193 getent group sudo |
194 while IFS=: read -r group x x users
195 do while test -n "$users" && IFS=, read -r user users <<-EOF
196 $users
197 EOF
198 do eval local home\; home="~$user"
199 cat "$home"/etc/ssh/authorized_keys
200 done
201 done |
202 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
203 sudo rm -f \
204 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
205 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
206 /etc/initramfs-tools/root/.ssh/id_rsa
207 # NOTE: clefs générées par Debian
208 sudo update-initramfs -u
209 }
210 rule_locale_configure () {
211 sudo install -m 644 -u root -g root /dev/stdin /etc/locale.gen <<-EOF
212 fr_FR.UTF-8 UTF-8
213 EOF
214 sudo update-locale
215 }
216 rule_login_configure () {
217 grep -q '^hvc0$' /etc/securetty ||
218 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
219 $(cat /etc/securetty)
220 hvc0
221 EOF
222 grep -q '^xvc0$' /etc/securetty ||
223 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
224 $(cat /etc/securetty)
225 xvc0
226 EOF
227 sudo install -m 644 -u root -g root /dev/stdin /etc/inittab <<-EOF
228 # /etc/inittab: init(8) configuration.
229
230 # The default runlevel.
231 id:2:initdefault:
232
233 # Boot-time system configuration/initialization script.
234 # This is run first except when booting in emergency (-b) mode.
235 si::sysinit:/etc/init.d/rcS
236
237 # What to do in single-user mode.
238 ~~:S:wait:/sbin/sulogin
239
240 # /etc/init.d executes the S and K scripts upon change
241 # of runlevel.
242 #
243 # Runlevel 0 is halt.
244 # Runlevel 1 is single-user.
245 # Runlevels 2-5 are multi-user.
246 # Runlevel 6 is reboot.
247
248 l0:0:wait:/etc/init.d/rc 0
249 l1:1:wait:/etc/init.d/rc 1
250 l2:2:wait:/etc/init.d/rc 2
251 l3:3:wait:/etc/init.d/rc 3
252 l4:4:wait:/etc/init.d/rc 4
253 l5:5:wait:/etc/init.d/rc 5
254 l6:6:wait:/etc/init.d/rc 6
255 # Normally not reached, but fallthrough in case of emergency.
256 z6:6:respawn:/sbin/sulogin
257
258 # What to do when CTRL-ALT-DEL is pressed.
259 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
260
261 # What to do when the power fails/returns.
262 pf::powerwait:/etc/init.d/powerfail start
263 pn::powerfailnow:/etc/init.d/powerfail now
264 po::powerokwait:/etc/init.d/powerfail stop
265
266 # Xen hypervisor console
267 hvc:2345:respawn:/sbin/getty 38400 hvc0
268 #xvc:2345:respawn:/sbin/getty 38400 xvc0
269 EOF
270 sudo install -m 644 -u root -g root /dev/stdin /etc/login.defs <<-EOF
271 MAIL_DIR /var/mail
272 FAILLOG_ENAB yes
273 LOG_UNKFAIL_ENAB no
274 LOG_OK_LOGINS no
275 SYSLOG_SU_ENAB yes
276 SYSLOG_SG_ENAB yes
277 FTMP_FILE /var/log/btmp
278 SU_NAME su
279 HUSHLOGIN_FILE .hushlogin
280 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
281 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
282 # NOTE: met les sbin/ dans ENV_PATH ;
283 # - ça n'apporte aucune protection de ne pas les mettre ;
284 # - ça frustre de ne pas les trouver.
285 TTYGROUP tty
286 TTYPERM 0600
287 ERASECHAR 0177
288 KILLCHAR 025
289 UMASK 007
290 # NOTE: rwxrwx--- ;
291 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
292 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
293 PASS_MAX_DAYS 99999
294 PASS_MIN_DAYS 0
295 PASS_WARN_AGE 7
296 UID_MIN 1000
297 UID_MAX 60000
298 GID_MIN 1000
299 GID_MAX 60000
300 LOGIN_RETRIES 3
301 LOGIN_TIMEOUT 60
302 CHFN_RESTRICT rwh
303 DEFAULT_HOME yes
304 USERGROUPS_ENAB yes
305 ENCRYPT_METHOD SHA512
306 EOF
307 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
308 sudo install -m 644 -u root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
309 $(cat /etc/pam.d/common-session)
310 session optional pam_umask.so
311 EOF
312 }
313 rule_network_configure () {
314 sudo install -m 644 -u root -g root /dev/stdin /etc/hostname <<-EOF
315 $vm
316 EOF
317 grep -q " $vm\$" /etc/hosts ||
318 sudo install -m 644 -u root -g root /dev/stdin /etc/hosts <<-EOF
319 $(cat /etc/hosts)
320 127.0.0.1 $vm_fqdn $vm
321 EOF
322 sudo install -m 644 -u root -g root /dev/stdin /etc/network/interfaces <<-EOF
323 auto lo
324 iface lo inet loopback
325
326 auto eth0=grenode
327 iface grenode inet static
328 address $vm_ipv4
329 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
330 network $vm_ipv4
331 broadcast $vm_ipv4
332 netmask 255.255.255.255
333 mtu 1300
334 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
335 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
336 #
337 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
338 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
339 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
340 #
341 # --- soupirail.grenode.net ping statistics ---
342 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
343 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
344 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
345 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
346 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
347 #
348 # --- soupirail.grenode.net ping statistics ---
349 # 0 packets transmitted, 0 received, +1 errors
350 post-up ip address add $vm_ipv4/32 dev \$IFACE
351 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
352 EOF
353 }
354 rule_user_configure () {
355 sudo install -d -m 750 -u root -g adm \
356 /etc/skel/etc \
357 /etc/skel/etc/ssh
358 sudo install -d -m 770 -u root -g adm \
359 /etc/skel/etc/apache2 \
360 /etc/skel/var \
361 /etc/skel/var/log \
362 /etc/skel/var/cache \
363 /etc/skel/var/cache/ssh
364 sudo ln -fns etc/ssh /etc/skel/.ssh
365 sudo ln -fns etc/gpg /etc/skel/.gnupg
366 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
367 ( while IFS= read -r line
368 do case $line in (*" RSA") return 0; break;; esac
369 done; return 1 ) ||
370 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
371 sudo rm -f \
372 /etc/ssh/ssh_host_dsa_key \
373 /etc/ssh/ssh_host_dsa_key.pub \
374 /etc/ssh/ssh_host_ecdsa_key \
375 /etc/ssh/ssh_host_ecdsa_key.pub
376 # NOTE: clefs générées par Debian
377 sudo install -m 644 -u root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
378 Port 22
379 ListenAddress $vm_ipv4
380 #ListenAddress ::
381 Protocol 2
382 Compression yes
383 HostKey /etc/ssh/ssh_host_rsa_key
384 UsePrivilegeSeparation yes
385 KeyRegenerationInterval 3600
386 ServerKeyBits 768
387 SyslogFacility AUTH
388 LogLevel INFO
389 LoginGraceTime 120
390 PermitRootLogin yes
391 StrictModes yes
392 RSAAuthentication yes
393 PubkeyAuthentication yes
394 AuthorizedKeysFile %h/etc/ssh/authorized_keys
395 IgnoreRhosts yes
396 RhostsRSAAuthentication no
397 HostbasedAuthentication no
398 IgnoreUserKnownHosts no
399 PermitEmptyPasswords no
400 ChallengeResponseAuthentication no
401 PasswordAuthentication no
402 KerberosAuthentication no
403 GSSAPIAuthentication no
404 X11Forwarding no
405 X11DisplayOffset 10
406 PrintMotd no
407 DebianBanner no
408 PrintLastLog yes
409 TCPKeepAlive yes
410 ClientAliveInterval 0
411 AcceptEnv LANG LC_*
412 Subsystem sftp /usr/lib/openssh/sftp-server
413 UsePAM yes
414 EOF
415 sudo service ssh restart
416 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
417 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
418 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
419 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
420 EOF
421 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
422 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
423 EOF
424 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
425 Defaults env_keep = " \\
426 EDITOR \\
427 GIT_AUTHOR_NAME \\
428 GIT_AUTHOR_EMAIL \\
429 GIT_COMMITTER_NAME \\
430 GIT_COMMITTER_EMAIL \\
431 "
432 EOF
433 sudo install -m 755 -u root -g root /dev/stdin /usr/local/sbin/passwd-init <<-EOF
434 #!/bin/sh -efu
435 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
436 sudo /bin/sh -e -f -u -c \
437 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
438 EOF
439 }
440 rule_user_root_configure () {
441 sudo install -d -m 750 -u root -g adm \
442 /root/etc \
443 /root/etc/ssh \
444 /root/etc/gpg
445 sudo ln -fns etc/gpg /root/.gnupg
446 sudo ln -fns etc/ssh /root/.ssh
447 getent group sudo |
448 while IFS=: read -r group x x users
449 do while test -n "$users" && IFS=, read -r user users <<-EOF
450 $users
451 EOF
452 do eval local home\; home="~$user"
453 cat "$home"/etc/ssh/authorized_keys
454 done
455 done |
456 sudo install -m 640 -u root -g root /dev/stdin /root/etc/ssh/authorized_keys
457 local key; local -; set +f
458 for key in "$tool"/var/pub/openpgp/*.key
459 do sudo gpg --import "$key"
460 done
461 }
462 rule_bin_configure () {
463 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
464 }
465 rule_configure () {
466 rule etckeeper_configure
467 rule locale_configure
468 rule network_configure
469 rule apt_configure
470 rule filesystem_configure
471 rule login_configure
472 rule user_root_configure
473 rule boot_configure
474 rule apticron_configure
475 rule bin_configure
476 }
477
478 rule_luks_key_change () {
479 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
480 }
481
482 rule_user_admin_configure () {
483 rule initramfs_configure
484 rule user_root_configure
485 }
486 rule_user_admin_add () { # SYNTAX: $user
487 local user=$1
488 id "$user" >/dev/null ||
489 sudo adduser --disabled-password "$user"
490 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
491 eval local home\; home="~$user"
492 sudo adduser "$user" sudo
493 sudo install -m 640 -u root -g root \
494 "$tool"/var/pub/ssh/"$user".key \
495 "$home"/etc/ssh/authorized_keys
496 local key; local -; set +f
497 for key in "$tool"/var/pub/openpgp/*.key
498 do sudo -u "$user" gpg --import "$key"
499 done
500 rule user_admin_configure
501 }
502 rule_user_mail_format () {
503 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
504 mk_dir mod=770 own=root:adm /etc/skel/var/mail
505 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
506 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
507 # vim: ft=procmail
508
509 # NOTE: paramètres passés par postfix
510 SENDER=\$1
511 RECIPIENT=\$2
512 USER=\$3
513 EXTENSION=\$4
514 DOMAIN=\$5
515 ORIGINAL_RECIPIENT=\$6
516
517 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
518 MAILDIR="\$HOME/var/mail/"
519 DEFAULT="\$MAILDIR"
520 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
521 LOGFILE="/dev/null"
522 LOGABSTRACT=all
523 LOGABSTRACT
524 VERBOSE
525 SHELL=/bin/sh
526 SHELLMETAS=&|<>~;?*%{}
527
528 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
529 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
530 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
531
532 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
533 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
534 # NOTE: récupère l’adresse courriel dans le champ GECOS
535 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
536 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
537 :0
538 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
539
540 # DESCRIPTION: IMAP
541 #:0
542 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
543
544 # DESCRIPTION: UUCP
545 #:0
546 #| /usr/bin/uux \
547 # -I "\$HOME/etc/uucp/uucp.cfg" \
548 # --nouucico \
549 # --notification=error \
550 # --requestor "\$USER" \
551 # - "\$USER!rmail" "(\$USER)"
552 EOF
553 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
554 # /etc/postfix/main.cf
555 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
556
557 parent_domain_matches_subdomains =
558 #debug_peer_list
559 #fast_flush_domains
560 #mynetworks
561 #permit_mx_backup_networks
562 #qmqpd_authorized_clients
563 #smtpd_access_maps
564 mydomain = $vm_domainname
565 myorigin = \$mydomain
566 myhostname = $vm_hostname.\$mydomain
567 mail_name = \$myhostname
568 mydestination =
569 $vm_hostname
570 \$myhostname
571 \$myorigin
572 mynetworks =
573 127.0.0.0/8
574 #[::1]/128
575 inet_protocols = ipv4
576 # "all" to activate IPv6
577 inet_interfaces = all
578 permit_mx_backup_networks =
579
580 alias_database =
581 hash:/etc/aliases
582 # NOTE: fichier de hash contenant une table d’alias mail.
583 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
584 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
585 alias_maps =
586 hash:/etc/aliases
587 recipient_delimiter = +
588 # NOTE: séparateur entre le nom d’utilisateur
589 # et les extensions d’adresse (par défaut le signe +).
590 #virtual_alias_domains =
591 virtual_alias_maps =
592 hash:/etc/postfix/\$mydomain/virtual
593 # NOTE: do not specify virtual alias domain names in the main.cf
594 # mydestination or relay_domains configuration parameters.
595 #
596 # With a virtual alias domain, the Postfix SMTP server
597 # accepts mail for known-user@virtual-alias.domain, and
598 # rejects mail for unknown-user@virtual-alias.domain as
599 # undeliverable.
600 #relayhost =
601 relay_clientcerts =
602 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
603 relay_domains =
604 \$mydestination
605 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
606 # pas dans mydestination ou virtual_alias...
607
608 maximal_queue_lifetime = 5d
609
610 header_checks =
611 regexp:/etc/postfix/\$mydomain/header_checks
612 mime_header_checks =
613 nested_header_checks =
614 milter_header_checks =
615 body_checks =
616
617 #content_filter = amavisfeed:[127.0.0.1]:10024
618 #receive_override_options = no_address_mappings
619 # no_unknown_recipient_checks
620 # Do not try to reject unknown recipients (SMTP server only).
621 # This is typically specified AFTER an external content filter.
622 # no_address_mappings
623 # Disable canonical address mapping, virtual alias map expansion,
624 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
625 # This is typically specified BEFORE an external content filter (eg. amavis).
626 # no_header_body_checks
627 # Disable header/body_checks. This is typically specified AFTER an external content filter.
628 # no_milters
629 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
630 #local_header_rewrite_clients =
631 transport_maps =
632 hash:/etc/postfix/\$mydomain/transport_maps
633 mailbox_command =
634 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
635 mailbox_size_limit = 0
636 biff = no
637 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
638 append_dot_mydomain = no
639 # appending .domain is the MUA's job.
640
641 #tls_random_source =
642 # dev:/dev/urandom
643 # Non-blocking
644 #tls_random_reseed_period = 3600s
645 #tls_random_exchange_name =
646 # \${data_directory}/prng_exch
647 # NOTE: à ne pas mettre dans la cage chroot
648 #tls_random_bytes = 32
649 #tls_random_prng_update_period = 3600s
650 #tls_high_cipherlist = AES256-SHA
651 # NOTE: postconf(5) déconseille de changer ceci
652
653 #smtp_cname_overrides_servername = no
654 smtp_connect_timeout = 60s
655 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
656 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
657 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
658 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
659 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
660 # NOTE: déprécié en faveur de smtp_tls_policy_maps
661 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
662 smtp_tls_fingerprint_digest = sha1
663 smtp_tls_scert_verifydepth = 5
664 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
665 #smtp_tls_verify_cert_match = hostname
666 #smtp_tls_note_starttls_offer = yes
667 smtp_tls_loglevel = 1
668 smtp_tls_protocols = !SSLv2, !SSLv3
669 # Only allow TLSv*
670 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
671 #smtp_tls_session_cache_timeout = 3600s
672 smtp_tls_security_level = may
673 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
674 smtp_body_checks =
675 smtp_mime_header_checks =
676 smtp_nested_header_checks =
677
678 smtpd_starttls_timeout = 300s
679 smtpd_banner =
680 \$myhostname ESMTP \$mail_name (Debian/GNU)
681
682 # Restrictions
683 smtpd_helo_required = yes
684 strict_rfc821_envelopes = yes
685 smtpd_authorized_xclient_hosts = 127.0.0.1
686 # NOTE: utile pour tester les restrictions
687
688 smtpd_helo_restrictions =
689 reject_invalid_helo_hostname
690 reject_non_fqdn_helo_hostname
691 #reject_unknown_helo_hostname
692 # NOTE: pourrait pourtant être utile pour lutter contre le spam
693 permit
694
695 smtpd_sender_restrictions =
696 permit_mynetworks
697 permit_tls_clientcerts
698 permit_sasl_authenticated
699 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
700 check_sender_access hash:/etc/postfix/sender_blacklist
701 reject_unauth_pipelining
702 reject_non_fqdn_sender
703 #reject_unknown_sender_domain
704 # NOTE: temporaire
705 permit
706
707 smtpd_client_new_tls_session_rate_limit = 0
708 smtpd_client_event_limit_exceptions = \$mynetworks
709 smtpd_client_recipient_rate_limit = 0
710 smtpd_client_connection_count_limit = 50
711 smtpd_client_connection_rate_limit = 0
712 smtpd_client_message_rate_limit = 0
713 smtpd_client_port_logging = no
714
715 smtpd_client_restrictions =
716 check_client_access hash:/etc/postfix/client_blacklist
717
718 policy_time_limit = 3600
719 default_extra_recipient_limit = 5000
720 duplicate_filter_limit = 5000
721 smtpd_recipient_limit = 5000
722 smtpd_recipient_overshoot_limit = 5000
723 smtpd_recipient_restrictions =
724 reject_non_fqdn_recipient
725 #reject_invalid_hostname
726 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
727 # dans smtpd_helo_restrictions
728 reject_unknown_recipient_domain
729 #reject_non_fqdn_sender
730 # NOTE: dans smtpd_sender_restrictions
731 reject_unauth_pipelining
732 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
733 permit_mynetworks
734 permit_tls_clientcerts
735 permit_sasl_authenticated
736 reject_unauth_destination
737 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
738 # ou quelqu'un pour lequel on tient lieu de backup_mx
739 check_policy_service inet:127.0.0.1:10023
740 # NOTE: Postgrey (greylisting)
741 check_policy_service unix:private/spfcheck
742 permit_auth_destination
743 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
744 # (voir permit_auth_destination) ; sans doute redondant
745 reject
746 #check_relay_domains <- removed from postfix
747 #reject_unknown_sender_domain
748 # aurait probablement été mieux dans smtpd_sender_restrictions
749 #reject_rbl_client bl.spamcop.net
750 #reject_rbl_client list.dsbl.org
751 #reject_rbl_client zen.spamhaus.org
752 #reject_rbl_client dnsbl.sorbs.net
753
754 smtpd_data_restrictions =
755 reject_unauth_pipelining
756 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
757 permit
758
759 #smtpd_end_of_data_restrictions =
760
761 #smtpd_restriction_classes =
762
763 smtpd_error_sleep_time = 5
764 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
765
766 # SASL
767 smtpd_sasl_auth_enable = yes
768 smtpd_sasl_type = dovecot
769 smtpd_sasl_path = private/auth
770 smtpd_sasl_security_options = noanonymous
771 smtpd_sasl_domain = \$mydomain
772
773 # SMTPD TLS
774 smtpd_discard_ehlo_keywords = starttls
775 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
776 # se mangent une erreur en tentant un starttls
777 smtpd_tls_fingerprint_digest = sha1
778 # sha512 ?
779 smtpd_tls_mandatory_protocols = TLSv1
780 smtpd_tls_mandatory_ciphers = high
781 smtpd_tls_ciphers = high
782 # restrictif. s/high/medium/ ?
783 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
784 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
785 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
786 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
787 ##
788 #smtpd_tls_received_header = no
789 smtpd_tls_session_cache_database =
790 btree:/var/lib/postfix/smtpd_tls_session_cache
791 #smtpd_tls_session_cache_timeout = 3600s
792 smtpd_tls_security_level = may
793 # Postfix 2.3 and later
794 # encrypt
795 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
796 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
797 # SMTP server. Instead, this option should be used only on dedicated servers.
798 smtpd_tls_loglevel = 1
799 smtpd_tls_ccert_verifydepth = 5
800 smtpd_tls_auth_only = yes
801 # Pas d'AUTH SASL sans TLS
802 smtpd_tls_ask_ccert = no
803 smtpd_tls_req_ccert = no
804 #smtpd_tls_always_issue_session_ids = yes
805 smtpd_peername_lookup = yes
806 # Nécessaire pour postgrey, etc
807 smtpd_milters =
808 non_smtpd_milters =
809 line_length_limit = 2048
810 queue_minfree = 0
811 message_size_limit = 20480000
812 #smtpd_enforce_tls # NOTE: obsolète
813 #smtpd_use_tls # NOTE: obsolète
814 #smtpd_tls_cipherlist # NOTE: obsolète
815
816 readme_directory = no
817 #delay_warning_time = 4h
818 # NOTE: uncomment the previous line to generate "delayed mail" warnings
819 #debug_peer_level = 4
820 #debug_peer_list = .\$myhostname
821 EOF
822 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
823 auth_ssl_username_from_cert = yes
824 listen = *
825 log_timestamp = "%Y-%m-%d %H:%M:%S "
826 mail_debug = yes
827 mail_location = maildir:~/var/mail
828 mail_privileged_group = mail
829 passdb {
830 args = /home/%u/etc/dovecot/passwd
831 driver = passwd-file
832 }
833 protocols = imap
834 service auth {
835 unix_listener /var/spool/postfix/private/auth {
836 group = postfix
837 mode = 0660
838 user = postfix
839 }
840 user = root
841 }
842 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
843 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
844 ssl_cipher_list = AES256-SHA
845 ssl_key = </etc/dovecot/imap/tls/key.pem
846 ssl_verify_client_cert = yes
847 userdb {
848 driver = passwd
849 }
850 verbose_ssl = yes
851 protocol lda {
852 auth_socket_path = /var/run/dovecot/auth-master
853 hostname = $vm_domainname
854 info_log_path = /var/log/dovecot/lda/info.log
855 log_path = /var/log/dovecot/lda/error.log
856 mail_plugins = sieve
857 postmaster_address = contact+dovecot+lda@$vm_domainname
858 }
859 EOF
860 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
861 EOF
862 }
863 rule_mail_configure () {
864 sudo apt-get install postfix postgrey dovecot
865 }
866
867 rule=${1:-help}
868 ${1+shift}
869 case $rule in
870 (help);;
871 (*)
872 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
873 ;;
874 esac
875 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org