dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_hosted : test while.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil et de documentation.
14 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
15 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
16 RULES:
17 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
18 ENVIRONMENT:
19 TRACE # affiche les commandes avant leur exécution
20 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
21 EOF
22 }
23
24 rule_git_config () {
25 (
26 cd "$tool"
27 git config --replace branch.master.remote .
28 git config --replace branch.master.merge refs/remotes/master
29 )
30 }
31 rule_git_reset () {
32 (
33 cd "$tool"
34 git checkout -f -B master origin
35 git clean -f -d -x
36 )
37 }
38
39 rule_chrooted () {
40 export LANG=C
41 export LC_CTYPE=C
42 . /etc/profile
43 }
44
45 rule_apt_init () {
46 mk_reg mod= own= /etc/apt/sources.list <<-EOF
47 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
48 EOF
49 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
50 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
51 EOF
52 mk_reg mod= own= /etc/apt/preferences <<-EOF
53 Package: *
54 Pin: release a=$vm_lsb_name
55 Pin-Priority: 170
56
57 Package: *
58 Pin: release a=$vm_lsb_name-backports
59 Pin-Priority: 200
60 EOF
61 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
62 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
63 EOF
64 }
65 rule_apticron_init () {
66 sudo apt-get install --reinstall apticron
67 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
68 EMAIL="admin@heureux-cyclage.org"
69 # DIFF_ONLY="1"
70 # LISTCHANGES_PROFILE="apticron"
71 # ALL_FQDNS="1"
72 # SYSTEM="foobar.example.com"
73 # IPADDRESSNUM="1"
74 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
75 # NOTIFY_HOLDS="0"
76 # NOTIFY_NEW="0"
77 # NOTIFY_NO_UPDATES="0"
78 # CUSTOM_SUBJECT=""
79 # CUSTOM_NO_UPDATES_SUBJECT=""
80 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
81 EOF
82 sudo service apticron restart
83 }
84 rule_boot_init () {
85 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
86 mk_dir mod=644 own=root:root /boot/grub
87 sudo apt-get install --reinstall linux-image-$vm_arch
88 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
89 GRUB_DEFAULT=0
90 GRUB_TIMEOUT=5
91 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
92 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
93 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
94 GRUB_DISABLE_RECOVERY="true"
95 #GRUB_PRELOAD_MODULES="lvm"
96 EOF
97 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
98 (hd0) /dev/xvda
99 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
100 EOF
101 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
102 rule initramfs_init
103 }
104 rule_etckeeper_init () {
105 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
106 VCS=git
107 GIT_COMMIT_OPTIONS=""
108 AVOID_DAILY_AUTOCOMMITS=1
109 #AVOID_SPECIAL_FILE_WARNING=1
110 AVOID_COMMIT_BEFORE_INSTALL=1
111 HIGHLEVEL_PACKAGE_MANAGER=apt
112 LOWLEVEL_PACKAGE_MANAGER=dpkg
113 EOF
114 }
115 rule_filesystem_init () {
116 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
117 # <file system> <mount point> <type> <options> <dump> <pass>
118 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
119 proc /proc proc defaults 0 0
120 sysfs /sys sysfs defaults 0 0
121 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
122 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
123 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
124 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
125 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
126 EOF
127 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
128 # <target name> <source device> <key file> <options>
129 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
130 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
131 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
132 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
133 EOF
134 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
135 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
136 vm.vfs_cache_pressure=50
137 EOF
138 }
139 rule_initramfs_init () {
140 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
141 MODULES=most
142 BUSYBOX=y
143 KEYMAP=y
144 COMPRESS=gzip
145 DEVICE=eth0
146 EOF
147 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
148 alias eth0 xennet
149 alias scsi_hostadapter xenblk
150 EOF
151 mk_reg mod=644 own=root:root /etc/modules <<-EOF
152 sha1_generic
153 sha256_generic
154 sha512_generic
155 aes-x86_64
156 xts
157 # NOTE: pour Xen en mode HVM :
158 #modprobe xen-platform-pci
159 EOF
160 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
161 EOF
162 sudo sed -e '/^configure_networking /s/ &$//' \
163 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
164 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
165 sudo rm -f \
166 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
167 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
168 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
169 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
170 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
171 ( while IFS= read -r line
172 do case $line in (*" RSA") return 0; break;; esac
173 done; return 1 ) ||
174 sudo dropbearkey -t rsa -s 4096 -f \
175 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
176 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
177 ( while IFS= read -r line
178 do case $line in (*" DSA") return 0; break;; esac
179 done; return 1 ) ||
180 sudo dropbearkey -t dss -s 1024 -f \
181 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
182 mk_dir mod=640 own=root:root \
183 /etc/initramfs-tools/root \
184 /etc/initramfs-tools/root/.ssh
185 getent group sudo |
186 while IFS=: read -r group x x users
187 do while test -n "$users" && IFS=, read -r user users <<-EOF
188 $users
189 EOF
190 do eval local home\; home="~$user"
191 cat "$home"/etc/ssh/authorized_keys
192 done
193 done |
194 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
195 sudo rm -f \
196 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
197 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
198 /etc/initramfs-tools/root/.ssh/id_rsa
199 # NOTE: clefs générées par Debian
200 sudo update-initramfs -u
201 }
202 rule_locale_init () {
203 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
204 fr_FR.UTF-8 UTF-8
205 EOF
206 sudo update-locale
207 }
208 rule_login_init () {
209 grep -q '^hvc0$' /etc/securetty ||
210 mk_reg mod= own= --append /etc/securetty <<-EOF
211 hvc0
212 EOF
213 grep -q '^xvc0$' /etc/securetty ||
214 mk_reg mod= own= --append /etc/securetty <<-EOF
215 xvc0
216 EOF
217 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
218 # /etc/inittab: init(8) configuration.
219
220 # The default runlevel.
221 id:2:initdefault:
222
223 # Boot-time system configuration/initialization script.
224 # This is run first except when booting in emergency (-b) mode.
225 si::sysinit:/etc/init.d/rcS
226
227 # What to do in single-user mode.
228 ~~:S:wait:/sbin/sulogin
229
230 # /etc/init.d executes the S and K scripts upon change
231 # of runlevel.
232 #
233 # Runlevel 0 is halt.
234 # Runlevel 1 is single-user.
235 # Runlevels 2-5 are multi-user.
236 # Runlevel 6 is reboot.
237
238 l0:0:wait:/etc/init.d/rc 0
239 l1:1:wait:/etc/init.d/rc 1
240 l2:2:wait:/etc/init.d/rc 2
241 l3:3:wait:/etc/init.d/rc 3
242 l4:4:wait:/etc/init.d/rc 4
243 l5:5:wait:/etc/init.d/rc 5
244 l6:6:wait:/etc/init.d/rc 6
245 # Normally not reached, but fallthrough in case of emergency.
246 z6:6:respawn:/sbin/sulogin
247
248 # What to do when CTRL-ALT-DEL is pressed.
249 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
250
251 # What to do when the power fails/returns.
252 pf::powerwait:/etc/init.d/powerfail start
253 pn::powerfailnow:/etc/init.d/powerfail now
254 po::powerokwait:/etc/init.d/powerfail stop
255
256 # Xen hypervisor console
257 hvc:2345:respawn:/sbin/getty 38400 hvc0
258 #xvc:2345:respawn:/sbin/getty 38400 xvc0
259 EOF
260 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
261 MAIL_DIR /var/mail
262 FAILLOG_ENAB yes
263 LOG_UNKFAIL_ENAB no
264 LOG_OK_LOGINS no
265 SYSLOG_SU_ENAB yes
266 SYSLOG_SG_ENAB yes
267 FTMP_FILE /var/log/btmp
268 SU_NAME su
269 HUSHLOGIN_FILE .hushlogin
270 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
271 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
272 # NOTE: met les sbin/ dans ENV_PATH ;
273 # - ça n'apporte aucune protection de ne pas les mettre ;
274 # - ça frustre de ne pas les trouver.
275 TTYGROUP tty
276 TTYPERM 0600
277 ERASECHAR 0177
278 KILLCHAR 025
279 UMASK 007
280 # NOTE: rwxrwx--- ;
281 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
282 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
283 PASS_MAX_DAYS 99999
284 PASS_MIN_DAYS 0
285 PASS_WARN_AGE 7
286 UID_MIN 1000
287 UID_MAX 60000
288 GID_MIN 1000
289 GID_MAX 60000
290 LOGIN_RETRIES 3
291 LOGIN_TIMEOUT 60
292 CHFN_RESTRICT rwh
293 DEFAULT_HOME yes
294 USERGROUPS_ENAB yes
295 ENCRYPT_METHOD SHA512
296 EOF
297 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
298 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
299 session optional pam_umask.so
300 EOF
301 }
302 rule_network_init () {
303 mk_reg mod= own= /etc/hostname <<-EOF
304 $vm
305 EOF
306 grep -q " $vm\$" /etc/hosts ||
307 mk_reg mod= own= --append /etc/hosts <<-EOF
308 127.0.0.1 $vm_fqdn $vm
309 EOF
310 mk_reg mod= own= /etc/network/interfaces <<-EOF
311 auto lo
312 iface lo inet loopback
313
314 auto eth0=grenode
315 iface grenode inet static
316 address $vm_ipv4
317 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
318 network $vm_ipv4
319 broadcast $vm_ipv4
320 netmask 255.255.255.255
321 #mtu 1300
322 post-up ip address add $vm_ipv4/32 dev \$IFACE
323 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
324 EOF
325 }
326 rule_user_init () {
327 mk_dir mod=750 own="root:adm" /etc/skel/etc
328 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
329 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
330 mk_dir mod=700 own="root:adm" /etc/skel/var
331 mk_dir mod=700 own="root:adm" /etc/skel/var/log
332 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
333 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
334 mk_dir mod=700 own="root:adm" /etc/skel/tmp
335 mk_dir mod=700 own="root:adm" /etc/skel/tmp
336 mk_lnk etc/ssh /etc/skel/.ssh
337 mk_lnk etc/gpg /etc/skel/.gnupg
338 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
339 ( while IFS= read -r line
340 do case $line in (*" RSA") return 0; break;; esac
341 done; return 1 ) ||
342 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
343 sudo rm -f \
344 /etc/ssh/ssh_host_dsa_key \
345 /etc/ssh/ssh_host_dsa_key.pub \
346 /etc/ssh/ssh_host_ecdsa_key \
347 /etc/ssh/ssh_host_ecdsa_key.pub
348 # NOTE: clefs générées par Debian
349 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
350 Port 22
351 ListenAddress $vm_ipv4
352 #ListenAddress ::
353 Protocol 2
354 Compression yes
355 HostKey /etc/ssh/ssh_host_rsa_key
356 UsePrivilegeSeparation yes
357 KeyRegenerationInterval 3600
358 ServerKeyBits 768
359 SyslogFacility AUTH
360 LogLevel INFO
361 LoginGraceTime 120
362 PermitRootLogin yes
363 StrictModes yes
364 RSAAuthentication yes
365 PubkeyAuthentication yes
366 AuthorizedKeysFile %h/etc/ssh/authorized_keys
367 IgnoreRhosts yes
368 RhostsRSAAuthentication no
369 HostbasedAuthentication no
370 IgnoreUserKnownHosts no
371 PermitEmptyPasswords no
372 ChallengeResponseAuthentication no
373 PasswordAuthentication no
374 KerberosAuthentication no
375 GSSAPIAuthentication no
376 X11Forwarding no
377 X11DisplayOffset 10
378 PrintMotd no
379 DebianBanner no
380 PrintLastLog yes
381 TCPKeepAlive yes
382 ClientAliveInterval 0
383 AcceptEnv LANG LC_*
384 Subsystem sftp /usr/lib/openssh/sftp-server
385 UsePAM yes
386 EOF
387 sudo service ssh restart
388 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
389 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
390 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
391 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
392 EOF
393 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
394 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
395 EOF
396 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
397 Defaults env_keep = " \\
398 EDITOR \\
399 GIT_AUTHOR_NAME \\
400 GIT_AUTHOR_EMAIL \\
401 GIT_COMMITTER_NAME \\
402 GIT_COMMITTER_EMAIL \\
403 "
404 EOF
405 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
406 #!/bin/sh
407 sudo /bin/sh -e -f -u -c \
408 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
409 EOF
410 }
411 rule_user_root_init () {
412 mk_dir mod=750 own=root:root /root/etc
413 mk_dir mod=750 own=root:root /root/etc/ssh
414 mk_dir mod=750 own=root:root /root/etc/gpg
415 mk_lnk etc/gpg /root/.gnupg
416 mk_lnk etc/ssh /root/.ssh
417 getent group sudo |
418 while IFS=: read -r group x x users
419 do while test -n "$users" && IFS=, read -r user users <<-EOF
420 $users
421 EOF
422 do eval local home\; home="~$user"
423 cat "$home"/etc/ssh/authorized_keys
424 done
425 done |
426 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
427 local key
428 for key in "$tool"/var/pub/openpgp/*.key
429 do sudo gpg --import "$key"
430 done
431 }
432 rule_bin_init () {
433 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
434 }
435 rule_init () {
436 rule etckeeper_init
437 rule locale_init
438 rule network_init
439 rule apt_init
440 rule filesystem_init
441 rule login_init
442 rule user_root_init
443 rule boot_init
444 rule bin_init
445 }
446
447 rule_disk_key_change () {
448 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
449 }
450
451 rule_user_admin_add () { # SYNTAX: $user
452 local user=$1
453 id "$user" >/dev/null ||
454 sudo adduser --disabled-password "$user"
455 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
456 eval local home\; home="~$user"
457 sudo adduser "$user" sudo
458 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
459 <"$tool"/var/pub/ssh/"$user".key
460 rule initramfs_init
461 rule user_root_init
462 local key; local -; set +f
463 for key in "$tool"/var/pub/openpgp/*.key
464 do sudo -u "$user" gpg --import "$key"
465 done
466 }
467 rule_user_mail_format () {
468 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
469 mk_dir mod=770 own=root:adm /etc/skel/var/mail
470 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
471 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
472 # vim: ft=procmail
473
474 # NOTE: paramètres passés par postfix
475 SENDER=\$1
476 RECIPIENT=\$2
477 USER=\$3
478 EXTENSION=\$4
479 DOMAIN=\$5
480 ORIGINAL_RECIPIENT=\$6
481
482 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
483 MAILDIR="\$HOME/var/mail/"
484 DEFAULT="\$MAILDIR"
485 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
486 LOGFILE="/dev/null"
487 LOGABSTRACT=all
488 LOGABSTRACT
489 VERBOSE
490 SHELL=/bin/sh
491 SHELLMETAS=&|<>~;?*%{}
492
493 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
494 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
495 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
496
497 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
498 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
499 # NOTE: récupère l’adresse courriel dans le champ GECOS
500 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
501 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
502 :0
503 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
504
505 # DESCRIPTION: IMAP
506 #:0
507 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
508
509 # DESCRIPTION: UUCP
510 #:0
511 #| /usr/bin/uux \
512 # -I "\$HOME/etc/uucp/uucp.cfg" \
513 # --nouucico \
514 # --notification=error \
515 # --requestor "\$USER" \
516 # - "\$USER!rmail" "(\$USER)"
517 EOF
518 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
519 # /etc/postfix/main.cf
520 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
521
522 parent_domain_matches_subdomains =
523 #debug_peer_list
524 #fast_flush_domains
525 #mynetworks
526 #permit_mx_backup_networks
527 #qmqpd_authorized_clients
528 #smtpd_access_maps
529 mydomain = $vm_domainname
530 myorigin = \$mydomain
531 myhostname = $vm_hostname.\$mydomain
532 mail_name = \$myhostname
533 mydestination =
534 $vm_hostname
535 \$myhostname
536 \$myorigin
537 mynetworks =
538 127.0.0.0/8
539 #[::1]/128
540 inet_protocols = ipv4
541 # "all" to activate IPv6
542 inet_interfaces = all
543 permit_mx_backup_networks =
544
545 alias_database =
546 hash:/etc/aliases
547 # NOTE: fichier de hash contenant une table d’alias mail.
548 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
549 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
550 alias_maps =
551 hash:/etc/aliases
552 recipient_delimiter = +
553 # NOTE: séparateur entre le nom d’utilisateur
554 # et les extensions d’adresse (par défaut le signe +).
555 #virtual_alias_domains =
556 virtual_alias_maps =
557 hash:/etc/postfix/\$mydomain/virtual
558 # NOTE: do not specify virtual alias domain names in the main.cf
559 # mydestination or relay_domains configuration parameters.
560 #
561 # With a virtual alias domain, the Postfix SMTP server
562 # accepts mail for known-user@virtual-alias.domain, and
563 # rejects mail for unknown-user@virtual-alias.domain as
564 # undeliverable.
565 #relayhost =
566 relay_clientcerts =
567 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
568 relay_domains =
569 \$mydestination
570 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
571 # pas dans mydestination ou virtual_alias...
572
573 maximal_queue_lifetime = 5d
574
575 header_checks =
576 regexp:/etc/postfix/\$mydomain/header_checks
577 mime_header_checks =
578 nested_header_checks =
579 milter_header_checks =
580 body_checks =
581
582 #content_filter = amavisfeed:[127.0.0.1]:10024
583 #receive_override_options = no_address_mappings
584 # no_unknown_recipient_checks
585 # Do not try to reject unknown recipients (SMTP server only).
586 # This is typically specified AFTER an external content filter.
587 # no_address_mappings
588 # Disable canonical address mapping, virtual alias map expansion,
589 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
590 # This is typically specified BEFORE an external content filter (eg. amavis).
591 # no_header_body_checks
592 # Disable header/body_checks. This is typically specified AFTER an external content filter.
593 # no_milters
594 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
595 #local_header_rewrite_clients =
596 transport_maps =
597 hash:/etc/postfix/\$mydomain/transport_maps
598 mailbox_command =
599 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
600 mailbox_size_limit = 0
601 biff = no
602 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
603 append_dot_mydomain = no
604 # appending .domain is the MUA's job.
605
606 #tls_random_source =
607 # dev:/dev/urandom
608 # Non-blocking
609 #tls_random_reseed_period = 3600s
610 #tls_random_exchange_name =
611 # \${data_directory}/prng_exch
612 # NOTE: à ne pas mettre dans la cage chroot
613 #tls_random_bytes = 32
614 #tls_random_prng_update_period = 3600s
615 #tls_high_cipherlist = AES256-SHA
616 # NOTE: postconf(5) déconseille de changer ceci
617
618 #smtp_cname_overrides_servername = no
619 smtp_connect_timeout = 60s
620 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
621 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
622 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
623 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
624 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
625 # NOTE: déprécié en faveur de smtp_tls_policy_maps
626 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
627 smtp_tls_fingerprint_digest = sha1
628 smtp_tls_scert_verifydepth = 5
629 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
630 #smtp_tls_verify_cert_match = hostname
631 #smtp_tls_note_starttls_offer = yes
632 smtp_tls_loglevel = 1
633 smtp_tls_protocols = !SSLv2, !SSLv3
634 # Only allow TLSv*
635 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
636 #smtp_tls_session_cache_timeout = 3600s
637 smtp_tls_security_level = may
638 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
639 smtp_body_checks =
640 smtp_mime_header_checks =
641 smtp_nested_header_checks =
642
643 smtpd_starttls_timeout = 300s
644 smtpd_banner =
645 \$myhostname ESMTP \$mail_name (Debian/GNU)
646
647 # Restrictions
648 smtpd_helo_required = yes
649 strict_rfc821_envelopes = yes
650 smtpd_authorized_xclient_hosts = 127.0.0.1
651 # NOTE: utile pour tester les restrictions
652
653 smtpd_helo_restrictions =
654 reject_invalid_helo_hostname
655 reject_non_fqdn_helo_hostname
656 #reject_unknown_helo_hostname
657 # NOTE: pourrait pourtant être utile pour lutter contre le spam
658 permit
659
660 smtpd_sender_restrictions =
661 permit_mynetworks
662 permit_tls_clientcerts
663 permit_sasl_authenticated
664 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
665 check_sender_access hash:/etc/postfix/sender_blacklist
666 reject_unauth_pipelining
667 reject_non_fqdn_sender
668 #reject_unknown_sender_domain
669 # NOTE: temporaire
670 permit
671
672 smtpd_client_new_tls_session_rate_limit = 0
673 smtpd_client_event_limit_exceptions = \$mynetworks
674 smtpd_client_recipient_rate_limit = 0
675 smtpd_client_connection_count_limit = 50
676 smtpd_client_connection_rate_limit = 0
677 smtpd_client_message_rate_limit = 0
678 smtpd_client_port_logging = no
679
680 smtpd_client_restrictions =
681 check_client_access hash:/etc/postfix/client_blacklist
682
683 policy_time_limit = 3600
684 default_extra_recipient_limit = 5000
685 duplicate_filter_limit = 5000
686 smtpd_recipient_limit = 5000
687 smtpd_recipient_overshoot_limit = 5000
688 smtpd_recipient_restrictions =
689 reject_non_fqdn_recipient
690 #reject_invalid_hostname
691 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
692 # dans smtpd_helo_restrictions
693 reject_unknown_recipient_domain
694 #reject_non_fqdn_sender
695 # NOTE: dans smtpd_sender_restrictions
696 reject_unauth_pipelining
697 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
698 permit_mynetworks
699 permit_tls_clientcerts
700 permit_sasl_authenticated
701 reject_unauth_destination
702 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
703 # ou quelqu'un pour lequel on tient lieu de backup_mx
704 check_policy_service inet:127.0.0.1:10023
705 # NOTE: Postgrey (greylisting)
706 check_policy_service unix:private/spfcheck
707 permit_auth_destination
708 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
709 # (voir permit_auth_destination) ; sans doute redondant
710 reject
711 #check_relay_domains <- removed from postfix
712 #reject_unknown_sender_domain
713 # aurait probablement été mieux dans smtpd_sender_restrictions
714 #reject_rbl_client bl.spamcop.net
715 #reject_rbl_client list.dsbl.org
716 #reject_rbl_client zen.spamhaus.org
717 #reject_rbl_client dnsbl.sorbs.net
718
719 smtpd_data_restrictions =
720 reject_unauth_pipelining
721 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
722 permit
723
724 #smtpd_end_of_data_restrictions =
725
726 #smtpd_restriction_classes =
727
728 smtpd_error_sleep_time = 5
729 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
730
731 # SASL
732 smtpd_sasl_auth_enable = yes
733 smtpd_sasl_type = dovecot
734 smtpd_sasl_path = private/auth
735 smtpd_sasl_security_options = noanonymous
736 smtpd_sasl_domain = \$mydomain
737
738 # SMTPD TLS
739 smtpd_discard_ehlo_keywords = starttls
740 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
741 # se mangent une erreur en tentant un starttls
742 smtpd_tls_fingerprint_digest = sha1
743 # sha512 ?
744 smtpd_tls_mandatory_protocols = TLSv1
745 smtpd_tls_mandatory_ciphers = high
746 smtpd_tls_ciphers = high
747 # restrictif. s/high/medium/ ?
748 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
749 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
750 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
751 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
752 ##
753 #smtpd_tls_received_header = no
754 smtpd_tls_session_cache_database =
755 btree:/var/lib/postfix/smtpd_tls_session_cache
756 #smtpd_tls_session_cache_timeout = 3600s
757 smtpd_tls_security_level = may
758 # Postfix 2.3 and later
759 # encrypt
760 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
761 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
762 # SMTP server. Instead, this option should be used only on dedicated servers.
763 smtpd_tls_loglevel = 1
764 smtpd_tls_ccert_verifydepth = 5
765 smtpd_tls_auth_only = yes
766 # Pas d'AUTH SASL sans TLS
767 smtpd_tls_ask_ccert = no
768 smtpd_tls_req_ccert = no
769 #smtpd_tls_always_issue_session_ids = yes
770 smtpd_peername_lookup = yes
771 # Nécessaire pour postgrey, etc
772 smtpd_milters =
773 non_smtpd_milters =
774 line_length_limit = 2048
775 queue_minfree = 0
776 message_size_limit = 20480000
777 #smtpd_enforce_tls # NOTE: obsolète
778 #smtpd_use_tls # NOTE: obsolète
779 #smtpd_tls_cipherlist # NOTE: obsolète
780
781 readme_directory = no
782 #delay_warning_time = 4h
783 # NOTE: uncomment the previous line to generate "delayed mail" warnings
784 #debug_peer_level = 4
785 #debug_peer_list = .\$myhostname
786 EOF
787 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
788 auth_ssl_username_from_cert = yes
789 listen = *
790 log_timestamp = "%Y-%m-%d %H:%M:%S "
791 mail_debug = yes
792 mail_location = maildir:~/var/mail
793 mail_privileged_group = mail
794 passdb {
795 args = /home/%u/etc/dovecot/passwd
796 driver = passwd-file
797 }
798 protocols = imap
799 service auth {
800 unix_listener /var/spool/postfix/private/auth {
801 group = postfix
802 mode = 0660
803 user = postfix
804 }
805 user = root
806 }
807 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
808 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
809 ssl_cipher_list = AES256-SHA
810 ssl_key = </etc/dovecot/imap/tls/key.pem
811 ssl_verify_client_cert = yes
812 userdb {
813 driver = passwd
814 }
815 verbose_ssl = yes
816 protocol lda {
817 auth_socket_path = /var/run/dovecot/auth-master
818 hostname = $vm_domainname
819 info_log_path = /var/log/dovecot/lda/info.log
820 log_path = /var/log/dovecot/lda/error.log
821 mail_plugins = sieve
822 postmaster_address = contact+dovecot+lda@$vm_domainname
823 }
824 EOF
825 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
826 EOF
827 }
828 rule_mail_init () {
829 sudo apt-get install postfix postgrey dovecot
830 }
831
832 rule=${1:-help}
833 ${1+shift}
834 case $rule in
835 (help);;
836 (*)
837 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
838 ${TRACE:+set -x}
839 ;;
840 esac
841 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org