dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : rule_mail_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule_apt_get_install () { # SYNTAX: $package
41 case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
42 ("Status: install ok installed");;
43 (*)
44 test ! -x /usr/bin/etckeeper ||
45 ! sudo etckeeper unclean ||
46 warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
47 sudo apt-get install "$@";;
48 esac
49 }
50
51 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
52 export LANG=C
53 export LC_CTYPE=C
54 . /etc/profile
55 }
56
57 rule_apt_configure () {
58 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list <<-EOF
59 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
60 EOF
61 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
62 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
63 EOF
64 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/preferences <<-EOF
65 Package: *
66 Pin: release a=$vm_lsb_name
67 Pin-Priority: 170
68
69 Package: *
70 Pin: release a=$vm_lsb_name-backports
71 Pin-Priority: 200
72 EOF
73 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
74 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
75 EOF
76 }
77 rule_apticron_configure () {
78 rule apt_get_install apticron
79 sudo install -m 644 -u root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
80 EMAIL="admin@$vm_domainname"
81 # DIFF_ONLY="1"
82 # LISTCHANGES_PROFILE="apticron"
83 # ALL_FQDNS="1"
84 # SYSTEM="foobar.example.com"
85 # IPADDRESSNUM="1"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
87 # NOTIFY_HOLDS="0"
88 # NOTIFY_NEW="0"
89 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_SUBJECT=""
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
93 EOF
94 }
95 rule_boot_configure () {
96 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo install -d -m 644 -u root -g root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 sudo install -m 644 -u root -g root /dev/stdin /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 sudo install -m 644 -u root -g root /dev/stdin /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_dovecot_configure () {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint="run vm_remote dovecot_key_send before"
119 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo install -m 400 -o root -g root \
121 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
122 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
123 sudo install -d -m 770 -o root -g adm \
124 /etc/skel/etc/mail \
125 /etc/skel/etc/sieve
126 sudo install -d -m 1777 -o root -g root \
127 /var/lib/dovecot-control \
128 /var/lib/dovecot-index
129 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
130 auth_ssl_username_from_cert = yes
131 listen = *
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
133 mail_debug = yes
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
139 passdb {
140 args = /home/%u/etc/dovecot/passwd
141 driver = passwd-file
142 }
143 plugin {
144 quota = fs:user
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
153 }
154 protocol imap {
155 mail_plugins = \$mail_plugins imap_quota
156 }
157 protocol lda {
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
160 info_log_path =
161 log_path =
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
165 }
166 protocols = imap sieve
167 service auth {
168 user = root
169 unix_listener /var/spool/postfix/private/auth {
170 mode = 0660
171 user = postfix
172 group = postfix
173 }
174 }
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
180 userdb {
181 driver = passwd
182 }
183 verbose_ssl = no
184 EOF
185 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
186 #!/bin/sh -efux
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
191 _EOF
192 EOF
193 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
194 EOF
195 sudo service dovecot restart
196 }
197 rule_etckeeper_configure () {
198 sudo install -m 644 -u root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
199 VCS=git
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
206 EOF
207 rule apt_get_install etckeeper
208 }
209 rule_filesystem_configure () {
210 sudo install -m 644 -u root -g root /dev/stdin /etc/fstab <<-EOF
211 # <file system> <mount point> <type> <options> <dump> <pass>
212 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
213 proc /proc proc defaults 0 0
214 sysfs /sys sysfs defaults 0 0
215 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
216 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
217 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
218 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
219 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
220 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
221 EOF
222 sudo install -m 644 -u root -g root /dev/stdin /etc/crypttab <<-EOF
223 # <target name> <source device> <key file> <options>
224 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
225 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
226 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
227 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
228 EOF
229 sudo install -m 644 -u root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
230 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
231 vm.vfs_cache_pressure=50
232 EOF
233 }
234 rule_initramfs_configure () {
235 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
236 MODULES=most
237 BUSYBOX=y
238 KEYMAP=y
239 COMPRESS=gzip
240 DEVICE=eth0
241 EOF
242 sudo install -m 644 -u root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
243 alias eth0 xennet
244 alias scsi_hostadapter xenblk
245 EOF
246 sudo install -m 644 -u root -g root /dev/stdin /etc/modules <<-EOF
247 sha1_generic
248 sha256_generic
249 sha512_generic
250 aes-x86_64
251 xts
252 # NOTE: pour Xen en mode HVM :
253 #modprobe xen-platform-pci
254 EOF
255 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
256 EOF
257 sudo sed -e '/^configure_networking /s/ &$//' \
258 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
259 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
260 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
261 ( while IFS= read -r line
262 do case $line in (*" RSA") return 0; break;; esac
263 done; return 1 ) ||
264 {
265 sudo rm -f \
266 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
267 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
268 sudo dropbearkey -t rsa -s 4096 -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
270 }
271 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
272 sudo install -d -m 640 -u root -g root \
273 /etc/initramfs-tools/root \
274 /etc/initramfs-tools/root/.ssh
275 getent group sudo |
276 while IFS=: read -r group x x users
277 do while test -n "$users" && IFS=, read -r user users <<-EOF
278 $users
279 EOF
280 do eval local home\; home="~$user"
281 cat "$home"/etc/ssh/authorized_keys
282 done
283 done |
284 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
285 sudo rm -f \
286 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
287 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
288 /etc/initramfs-tools/root/.ssh/id_rsa
289 # NOTE: clefs générées par Debian
290 sudo update-initramfs -u
291 }
292 rule_locale_configure () {
293 sudo install -m 644 -u root -g root /dev/stdin /etc/locale.gen <<-EOF
294 fr_FR.UTF-8 UTF-8
295 EOF
296 sudo update-locale
297 }
298 rule_login_configure () {
299 grep -q '^hvc0$' /etc/securetty ||
300 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
301 $(cat /etc/securetty)
302 hvc0
303 EOF
304 grep -q '^xvc0$' /etc/securetty ||
305 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
306 $(cat /etc/securetty)
307 xvc0
308 EOF
309 sudo install -m 644 -u root -g root /dev/stdin /etc/inittab <<-EOF
310 # /etc/inittab: init(8) configuration.
311
312 # The default runlevel.
313 id:2:initdefault:
314
315 # Boot-time system configuration/initialization script.
316 # This is run first except when booting in emergency (-b) mode.
317 si::sysinit:/etc/init.d/rcS
318
319 # What to do in single-user mode.
320 ~~:S:wait:/sbin/sulogin
321
322 # /etc/init.d executes the S and K scripts upon change
323 # of runlevel.
324 #
325 # Runlevel 0 is halt.
326 # Runlevel 1 is single-user.
327 # Runlevels 2-5 are multi-user.
328 # Runlevel 6 is reboot.
329
330 l0:0:wait:/etc/init.d/rc 0
331 l1:1:wait:/etc/init.d/rc 1
332 l2:2:wait:/etc/init.d/rc 2
333 l3:3:wait:/etc/init.d/rc 3
334 l4:4:wait:/etc/init.d/rc 4
335 l5:5:wait:/etc/init.d/rc 5
336 l6:6:wait:/etc/init.d/rc 6
337 # Normally not reached, but fallthrough in case of emergency.
338 z6:6:respawn:/sbin/sulogin
339
340 # What to do when CTRL-ALT-DEL is pressed.
341 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
342
343 # What to do when the power fails/returns.
344 pf::powerwait:/etc/init.d/powerfail start
345 pn::powerfailnow:/etc/init.d/powerfail now
346 po::powerokwait:/etc/init.d/powerfail stop
347
348 # Xen hypervisor console
349 hvc:2345:respawn:/sbin/getty 38400 hvc0
350 #xvc:2345:respawn:/sbin/getty 38400 xvc0
351 EOF
352 sudo install -m 644 -u root -g root /dev/stdin /etc/login.defs <<-EOF
353 MAIL_DIR /var/mail
354 FAILLOG_ENAB yes
355 LOG_UNKFAIL_ENAB no
356 LOG_OK_LOGINS no
357 SYSLOG_SU_ENAB yes
358 SYSLOG_SG_ENAB yes
359 FTMP_FILE /var/log/btmp
360 SU_NAME su
361 HUSHLOGIN_FILE .hushlogin
362 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
363 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
364 # NOTE: met les sbin/ dans ENV_PATH ;
365 # - ça n'apporte aucune protection de ne pas les mettre ;
366 # - ça frustre de ne pas les trouver.
367 TTYGROUP tty
368 TTYPERM 0600
369 ERASECHAR 0177
370 KILLCHAR 025
371 UMASK 007
372 # NOTE: rwxrwx--- ;
373 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
374 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
375 PASS_MAX_DAYS 99999
376 PASS_MIN_DAYS 0
377 PASS_WARN_AGE 7
378 UID_MIN 1000
379 UID_MAX 60000
380 GID_MIN 1000
381 GID_MAX 60000
382 LOGIN_RETRIES 3
383 LOGIN_TIMEOUT 60
384 CHFN_RESTRICT rwh
385 DEFAULT_HOME yes
386 USERGROUPS_ENAB yes
387 ENCRYPT_METHOD SHA512
388 EOF
389 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
390 sudo install -m 644 -u root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
391 $(cat /etc/pam.d/common-session)
392 session optional pam_umask.so
393 EOF
394 }
395 rule_procmail_configure () {
396 rule apt_get_install procmail
397 sudo install -d -m 770 -o root -g adm \
398 /etc/skel/etc/mail \
399 /etc/skel/var/cache/mail \
400 /etc/skel/var/log/mail \
401 /etc/skel/var/mail
402 sudo install -m 660 -o root -g adm \
403 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
404 /etc/skel/etc/mail/delivery.procmailrc
405 }
406 rule_postgrey_configure () {
407 rule apt_get_install postgrey
408 sudo service postgrey restart
409 }
410 rule_postfix_configure () {
411 local hint="run vm_remote postfix_key_send before"
412 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
413 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
414 rule apt_get_install postfix
415 sudo install -d -m 770 -o root -g root \
416 /etc/postfix/$vm_domainname/ \
417 /etc/postfix/$vm_domainname/smtp \
418 /etc/postfix/$vm_domainname/smtp/x509 \
419 /etc/postfix/$vm_domainname/smtp/x509/ca \
420 /etc/postfix/$vm_domainname/smtpd \
421 /etc/postfix/$vm_domainname/smtpd/x509 \
422 /etc/postfix/$vm_domainname/smtpd/x509/ca
423 sudo install -d -m 770 -o root -g root \
424 /etc/postfix/$vm_domainname/ \
425 /etc/postfix/$vm_domainname/smtp \
426 /etc/postfix/$vm_domainname/smtp/x509 \
427 /etc/postfix/$vm_domainname/smtp/x509/ca \
428 /etc/postfix/$vm_domainname/smtpd \
429 /etc/postfix/$vm_domainname/smtpd/x509 \
430 /etc/postfix/$vm_domainname/smtpd/x509/ca
431 sudo ln -fns \
432 ../crt+crl.self-signed.pem \
433 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
434 sudo install -m 400 -o root -g root \
435 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
436 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
437 sudo install -m 400 -o root -g root \
438 var/pub/x509/service/smtpd/crt.pem \
439 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
440 sudo install -m 400 -o root -g root \
441 var/pub/x509/service/smtpd/crt+root.pem \
442 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
443 sudo install -m 400 -o root -g root \
444 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
445 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
446 sudo install -m 660 -o root -g root \
447 etc/postfix/$vm_domainname/header_checks \
448 /etc/postfix/$vm_domainname/header_checks
449 sudo install -m 664 -o root -g root \
450 etc/aliases \
451 /etc/aliases
452 sudo newaliases
453 cat /dev/stdin etc/postfix/main.cf <<-EOF |
454 mydomain = $vm_domainname
455 myorigin = \$mydomain
456 myhostname = $vm_hostname.\$mydomain
457 mail_name = \$myhostname
458 mydestination = $vm_hostname \$myhostname \$myorigin
459 EOF
460 sudo install -m 664 -o root -g root /dev/stdin \
461 /etc/postfix/main.cf
462 sudo install -m 664 -o root -g root \
463 etc/postfix/master.cf \
464 /etc/postfix/master.cf
465 sudo install -m 660 -o root -g root \
466 etc/postfix/$vm_domainname/smtp/x509/policy \
467 /etc/postfix/$vm_domainname/smtp/x509/policy
468 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
469 sudo install -m 660 -o root -g root \
470 etc/postfix/$vm_domainname/smtp/header_checks \
471 /etc/postfix/$vm_domainname/smtp/header_checks
472 sudo install -m 660 -o root -g root \
473 etc/postfix/$vm_domainname/smtpd/sender_access \
474 /etc/postfix/$vm_domainname/smtpd/sender_access
475 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
476 sudo install -m 660 -o root -g root \
477 etc/postfix/$vm_domainname/smtpd/client_blacklist \
478 /etc/postfix/$vm_domainname/smtpd/client_blacklist
479 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
480 sudo install -m 660 -o root -g root \
481 etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
482 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
483 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
484 sudo install -m 660 -o root -g root \
485 etc/postfix/$vm_domainname/transport \
486 /etc/postfix/$vm_domainname/transport
487 sudo postmap hash:/etc/postfix/$vm_domainname/transport
488 sudo install -m 660 -o root -g root \
489 etc/postfix/$vm_domainname/virtual_alias \
490 /etc/postfix/$vm_domainname/virtual_alias
491 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
492 sudo service postfix restart
493 }
494 rule_mail_configure () {
495 rule postfix_configure
496 rule postgrey_configure
497 rule procmail_configure
498 rule dovecot_configure
499 }
500 rule_network_configure () {
501 sudo install -m 644 -u root -g root /dev/stdin /etc/hostname <<-EOF
502 $vm
503 EOF
504 grep -q " $vm\$" /etc/hosts ||
505 sudo install -m 644 -u root -g root /dev/stdin /etc/hosts <<-EOF
506 $(cat /etc/hosts)
507 127.0.0.1 $vm_fqdn $vm
508 EOF
509 sudo install -m 644 -u root -g root /dev/stdin /etc/network/interfaces <<-EOF
510 auto lo
511 iface lo inet loopback
512
513 auto eth0=grenode
514 iface grenode inet static
515 address $vm_ipv4
516 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
517 network $vm_ipv4
518 broadcast $vm_ipv4
519 netmask 255.255.255.255
520 mtu 1300
521 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
522 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
523 #
524 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
525 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
526 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
527 #
528 # --- soupirail.grenode.net ping statistics ---
529 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
530 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
531 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
532 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
533 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
534 #
535 # --- soupirail.grenode.net ping statistics ---
536 # 0 packets transmitted, 0 received, +1 errors
537 post-up ip address add $vm_ipv4/32 dev \$IFACE
538 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
539 EOF
540 }
541 rule_user_configure () {
542 sudo install -d -m 750 -u root -g adm \
543 /etc/skel/etc \
544 /etc/skel/etc/ssh
545 sudo install -d -m 770 -u root -g adm \
546 /etc/skel/etc/apache2 \
547 /etc/skel/var \
548 /etc/skel/var/log \
549 /etc/skel/var/cache \
550 /etc/skel/var/cache/ssh
551 sudo ln -fns etc/ssh /etc/skel/.ssh
552 sudo ln -fns etc/gpg /etc/skel/.gnupg
553 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
554 ( while IFS= read -r line
555 do case $line in (*" RSA") return 0; break;; esac
556 done; return 1 ) ||
557 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
558 sudo rm -f \
559 /etc/ssh/ssh_host_dsa_key \
560 /etc/ssh/ssh_host_dsa_key.pub \
561 /etc/ssh/ssh_host_ecdsa_key \
562 /etc/ssh/ssh_host_ecdsa_key.pub
563 # NOTE: clefs générées par Debian
564 sudo install -m 644 -u root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
565 Port 22
566 ListenAddress $vm_ipv4
567 #ListenAddress ::
568 Protocol 2
569 Compression yes
570 HostKey /etc/ssh/ssh_host_rsa_key
571 UsePrivilegeSeparation yes
572 KeyRegenerationInterval 3600
573 ServerKeyBits 768
574 SyslogFacility AUTH
575 LogLevel INFO
576 LoginGraceTime 120
577 PermitRootLogin yes
578 StrictModes yes
579 RSAAuthentication yes
580 PubkeyAuthentication yes
581 AuthorizedKeysFile %h/etc/ssh/authorized_keys
582 IgnoreRhosts yes
583 RhostsRSAAuthentication no
584 HostbasedAuthentication no
585 IgnoreUserKnownHosts no
586 PermitEmptyPasswords no
587 ChallengeResponseAuthentication no
588 PasswordAuthentication no
589 KerberosAuthentication no
590 GSSAPIAuthentication no
591 X11Forwarding no
592 X11DisplayOffset 10
593 PrintMotd no
594 DebianBanner no
595 PrintLastLog yes
596 TCPKeepAlive yes
597 ClientAliveInterval 0
598 AcceptEnv LANG LC_*
599 Subsystem sftp /usr/lib/openssh/sftp-server
600 UsePAM yes
601 EOF
602 sudo service ssh restart
603 }
604 rule_user_admin_add () { # SYNTAX: $user
605 local user=$1
606 id "$user" >/dev/null ||
607 sudo adduser --disabled-password "$user"
608 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
609 eval local home\; home="~$user"
610 sudo adduser "$user" sudo
611 sudo install -m 640 -o root -g root \
612 "$tool"/var/pub/ssh/"$user".key \
613 "$home"/etc/ssh/authorized_keys
614 local key; local -; set +f
615 for key in "$tool"/var/pub/openpgp/*.key
616 do sudo -u "$user" gpg --import "$key"
617 done
618 rule user_admin_configure
619 }
620 rule_user_admin_configure () {
621 rule initramfs_configure
622 rule user_root_configure
623 }
624 rule_user_configure () {
625 sudo install -d -m 750 -o root -g adm \
626 /etc/skel/etc \
627 /etc/skel/etc/ssh
628 sudo install -d -m 770 -o root -g adm \
629 /etc/skel/etc/apache2 \
630 /etc/skel/var \
631 /etc/skel/var/log \
632 /etc/skel/var/cache \
633 /etc/skel/var/cache/ssh
634 sudo ln -fns etc/ssh /etc/skel/.ssh
635 sudo ln -fns etc/gpg /etc/skel/.gnupg
636 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
637 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
638 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
639 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
640 EOF
641 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
642 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
643 EOF
644 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
645 Defaults env_keep = " \\
646 EDITOR \\
647 GIT_AUTHOR_NAME \\
648 GIT_AUTHOR_EMAIL \\
649 GIT_COMMITTER_NAME \\
650 GIT_COMMITTER_EMAIL \\
651 "
652 EOF
653 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
654 #!/bin/sh -efu
655 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
656 sudo /bin/sh -e -f -u -c \
657 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
658 EOF
659 }
660 rule_user_root_configure () {
661 sudo install -d -m 750 -u root -g adm \
662 /root/etc \
663 /root/etc/ssh \
664 /root/etc/gpg
665 sudo ln -fns etc/gpg /root/.gnupg
666 sudo ln -fns etc/ssh /root/.ssh
667 getent group sudo |
668 while IFS=: read -r group x x users
669 do while test -n "$users" && IFS=, read -r user users <<-EOF
670 $users
671 EOF
672 do eval local home\; home="~$user"
673 cat "$home"/etc/ssh/authorized_keys
674 done
675 done |
676 sudo install -m 640 -u root -g root /dev/stdin /root/etc/ssh/authorized_keys
677 local key; local -; set +f
678 for key in "$tool"/var/pub/openpgp/*.key
679 do sudo gpg --import "$key"
680 done
681 }
682 rule_bin_configure () {
683 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
684 }
685 rule_configure () {
686 rule etckeeper_configure
687 rule locale_configure
688 rule network_configure
689 rule apt_configure
690 rule filesystem_configure
691 rule login_configure
692 rule user_root_configure
693 rule boot_configure
694 rule apticron_configure
695 rule bin_configure
696 }
697
698 rule_luks_key_change () {
699 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
700 }
701
702 rule=${1:-help}
703 ${1+shift}
704 case $rule in
705 (help);;
706 (*)
707 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
708 ;;
709 esac
710 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org