#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
. "$tool"/env.sh
. "$tool"/inc.sh

rule_help () {
	cat >&2 <<-EOF
		DESCRIPTION: ce script regroupe des fonctions utilitaires
		             pour gérer la VM des ateliers _depuis_ la VM hébergée ;
		             il sert à la fois d'outil et de documentation.
		             Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte.
		SYNTAX: $0 \$RULE \${RULE}_SYNTAX
		RULES:
		$(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0")
		ENVIRONMENT:
		  TRACE # affiche les commandes avant leur exécution
		$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
		EOF
 }

rule_filesystem_init () {
	mk_reg mod= own= --append /etc/sysctl.conf <<-EOF
		vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
		vm.vfs_cache_pressure=50
		EOF
 }
rule_shell_source () {
	. /etc/profile
 }
rule_network_init () {
	mk_reg mod= own= /etc/hostname <<-EOF
		$vm
		EOF
	grep -q " $vm\$" /etc/hosts ||
	mk_reg mod= own= --append /etc/hosts <<-EOF
		127.0.0.1 $vm_fqdn $vm
		EOF
	mk_reg mod= own= /etc/network/interfaces <<-EOF
		auto lo
		iface lo inet loopback
		
		auto eth0=grenode
		iface grenode inet static
			address   $vm_ipv4
			gateway   $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
			network   $vm_ipv4
			broadcast $vm_ipv4
			netmask   255.255.255.255
			mtu 1300 # TODO: voir si c'est nécessaire à Lyon
			up   ip address add    $vm_ipv4/32 dev \$IFACE
			down ip address delete $vm_ipv4/32 dev \$IFACE
		EOF
 }
rule_apt_init () {
	mk_reg mod= own= /etc/apt/sources.list <<-EOF
		deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
		deb http://nightly.openerp.com/trunk/nightly/deb/ ./
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
		deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/preferences <<-EOF
		Package: *
		Pin: release a=$vm_lsb_name
		Pin-Priority: 170
		
		Package: *
		Pin: release a=$vm_lsb_name-backports
		Pin-Priority: 200
		EOF
 }
rule_boot_init () {
	mk_reg mod= own= /etc/fstab <<-EOF
		# <file system> <mount point> <type> <options> <dump> <pass>
		LABEL=boot /boot ext2 defaults,no-auto 0 0
		proc /proc proc defaults 0 0
		sysfs /sys sysfs defaults 0 0
		tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
		/dev/mapper/${vm}_root_deciphered /     ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm}_var_deciphered  /var  ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
		/dev/mapper/${vm}_swap_deciphered swap swap sw 0 0
		EOF
	mk_reg mod= own= /etc/crypttab <<-EOF
		# <target name> <source device> <key file> <options>
		${vm}_root_deciphered LABEL=${vm}_root ${vm}_root            luks
		${vm}_var_deciphered  LABEL=${vm}_var  ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		EOF
	mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF
		#loop
		sha1_generic
		sha256_generic
		sha512_generic
		aes-x86_64
		xts
		EOF
	mk_reg mod= own= --append /etc/default/grub <<-EOF
		GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 resume=/dev/mapper/${vm}_swap_deciphered"
		EOF
 }
rule_user_admin_add () { # SYNTAX: <name>
	admin=$1
	! id "$admin" || adduser "$admin"
	eval home="~$admin"
	adduser "$admin" sudo
	mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub
 }
rule_user_mail_format () {
	mk_dir mod=0770 own=root:adm /etc/skel/etc/procmail
	mk_dir mod=0770 own=root:adm /etc/skel/var/mail
	mk_dir mod=0770 own=root:adm /etc/skel/var/cache/procmail
	mk_reg mod=0660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
		# vim: ft=procmail
		
		# NOTE: paramètres passés par postfix
		SENDER=\$1
		RECIPIENT=\$2
		USER=\$3
		EXTENSION=\$4
		DOMAIN=\$5
		ORIGINAL_RECIPIENT=\$6
		
		PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
		MAILDIR="\$HOME/var/mail/"
		DEFAULT="\$MAILDIR"
		#LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
		LOGFILE="/dev/null"
		LOGABSTRACT=all
		LOGABSTRACT
		VERBOSE
		SHELL=/bin/sh
		SHELLMETAS=&|<>~;?*%{}
		
		# DESCRIPTION: supprime les doublons en fonction du champ Message-Id
		#:0 Wh:            "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
		#| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
		
		# DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
		EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
		 # NOTE: récupère l’adresse courriel dans le champ GECOS
		FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
		 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
		:0
		| \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
		
		# DESCRIPTION: IMAP
		#:0
		#| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
		
		# DESCRIPTION: UUCP
		#:0
		#| /usr/bin/uux \
		# -I "\$HOME/etc/uucp/uucp.cfg" \
		# --nouucico \
		# --notification=error \
		# --requestor "\$USER" \
		# - "\$USER!rmail" "(\$USER)"
		EOF
	mk_reg mod=0664 own=root:root /etc/postfix/main.cf <<-EOF
		# /etc/postfix/main.cf
		# SEE: http://postfix.traduc.org/index.php/TLS_README.html
		
		parent_domain_matches_subdomains =
		        #debug_peer_list
		        #fast_flush_domains
		        #mynetworks
		        #permit_mx_backup_networks
		        #qmqpd_authorized_clients
		        #smtpd_access_maps
		mydomain                         = $vm_domainname
		myorigin                         = \$mydomain
		myhostname                       = $vm_hostname.\$mydomain
		mail_name                        = \$myhostname
		mydestination                    =
		        $vm_hostname
		        \$myhostname
		        \$myorigin
		mynetworks                       =
		        127.0.0.0/8
		        #[::1]/128
		inet_protocols = ipv4
		        # "all" to activate IPv6
		inet_interfaces                  = all
		permit_mx_backup_networks        =
		
		alias_database         =
		        hash:/etc/aliases
		        # NOTE: fichier de hash contenant une table d’alias mail.
		        #       Celle-ci est éditable dans /etc/aliases, puis (indispensable)
		        #       regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
		alias_maps             =
		        hash:/etc/aliases
		recipient_delimiter    = +
		        # NOTE: séparateur entre le nom d’utilisateur
		        #       et les extensions d’adresse (par défaut le signe +).
		#virtual_alias_domains  =
		virtual_alias_maps     =
		        hash:/etc/postfix/\$mydomain/virtual
		        # NOTE: do not specify virtual alias domain names in  the  main.cf
		        #       mydestination or relay_domains configuration parameters.
		        #
		        # With  a  virtual  alias  domain,  the  Postfix SMTP server
		        # accepts  mail  for  known-user@virtual-alias.domain,   and
		        # rejects   mail  for  unknown-user@virtual-alias.domain  as
		        # undeliverable.
		#relayhost              =
		relay_clientcerts      =
		        hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
		relay_domains          =
		        \$mydestination
		                # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
		                #       pas dans mydestination ou virtual_alias...
		
		maximal_queue_lifetime = 5d
		
		header_checks        =
		        regexp:/etc/postfix/\$mydomain/header_checks
		mime_header_checks   =
		nested_header_checks =
		milter_header_checks =
		body_checks          =
		
		#content_filter               = amavisfeed:[127.0.0.1]:10024
		#receive_override_options     = no_address_mappings
		        # no_unknown_recipient_checks
		        #         Do not try to reject unknown recipients (SMTP server only).
		        #         This is typically specified AFTER an external content filter.
		        # no_address_mappings
		        #         Disable canonical address mapping, virtual alias map expansion,
		        #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
		        #         This is typically specified BEFORE an external content filter (eg. amavis).
		        # no_header_body_checks
		        #         Disable header/body_checks. This is typically specified AFTER an external content filter.
		        # no_milters
		        #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
		#local_header_rewrite_clients =
		transport_maps                =
		        hash:/etc/postfix/\$mydomain/transport_maps
		mailbox_command               =
		        /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
		mailbox_size_limit            = 0
		biff                          = no
		        # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
		append_dot_mydomain           = no
		        # appending .domain is the MUA's job.
		
		#tls_random_source             =
		#       dev:/dev/urandom
		        # Non-blocking
		#tls_random_reseed_period      = 3600s
		#tls_random_exchange_name      =
		#       \${data_directory}/prng_exch
		        # NOTE: à ne pas mettre dans la cage chroot
		#tls_random_bytes              = 32
		#tls_random_prng_update_period = 3600s
		#tls_high_cipherlist           = AES256-SHA
		        # NOTE: postconf(5) déconseille de changer ceci
		
		#smtp_cname_overrides_servername = no
		smtp_connect_timeout            = 60s
		#smtp_tls_CAfile                 = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
		#smtp_tls_CApath                 = /etc/postfix/\$mydomain/smtp/tls/ca/
		#smtp_tls_cert_file              = /etc/postfix/\$mydomain/smtp/tls/crt.pem
		#smtp_tls_key_file               = /etc/postfix/\$mydomain/smtp/tls/key.pem
		#smtp_tls_per_site               = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
		        # NOTE: déprécié en faveur de smtp_tls_policy_maps
		smtp_tls_policy_maps            = hash:/etc/postfix/\$mydomain/smtp/tls/policy
		smtp_tls_fingerprint_digest     = sha1
		smtp_tls_scert_verifydepth      = 5
		#smtp_tls_secure_cert_match      = nexthop, dot-nexthop
		#smtp_tls_verify_cert_match      = hostname
		#smtp_tls_note_starttls_offer    = yes
		smtp_tls_loglevel               = 1
		smtp_tls_protocols              = !SSLv2, !SSLv3
		        # Only allow TLSv*
		smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
		#smtp_tls_session_cache_timeout  = 3600s
		smtp_tls_security_level         = may
		smtp_header_checks              = regexp:/etc/postfix/\$mydomain/smtp/header_checks
		smtp_body_checks                =
		smtp_mime_header_checks         =
		smtp_nested_header_checks       =
		
		smtpd_starttls_timeout                  = 300s
		smtpd_banner                            =
		 \$myhostname ESMTP \$mail_name (Debian/GNU)
		
		# Restrictions
		smtpd_helo_required             = yes
		strict_rfc821_envelopes         = yes
		smtpd_authorized_xclient_hosts  = 127.0.0.1
		        # NOTE: utile pour tester les restrictions
		
		smtpd_helo_restrictions         =
		        reject_invalid_helo_hostname
		        reject_non_fqdn_helo_hostname
		        #reject_unknown_helo_hostname
		                # NOTE: pourrait pourtant être utile pour lutter contre le spam
		        permit
		
		smtpd_sender_restrictions       =
		        permit_mynetworks
		        permit_tls_clientcerts
		        permit_sasl_authenticated
		        check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
		        check_sender_access hash:/etc/postfix/sender_blacklist
		        reject_unauth_pipelining
		        reject_non_fqdn_sender
		        #reject_unknown_sender_domain
		                # NOTE: temporaire
		        permit
		
		smtpd_client_new_tls_session_rate_limit = 0
		smtpd_client_event_limit_exceptions     = \$mynetworks
		smtpd_client_recipient_rate_limit       = 0
		smtpd_client_connection_count_limit     = 50
		smtpd_client_connection_rate_limit      = 0
		smtpd_client_message_rate_limit         = 0
		smtpd_client_port_logging               = no
		
		smtpd_client_restrictions               =
		        check_client_access hash:/etc/postfix/client_blacklist
		
		policy_time_limit                       = 3600
		default_extra_recipient_limit           = 5000
		duplicate_filter_limit                  = 5000
		smtpd_recipient_limit                   = 5000
		smtpd_recipient_overshoot_limit         = 5000
		smtpd_recipient_restrictions            =
		        reject_non_fqdn_recipient
		        #reject_invalid_hostname
		                # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
		                #       dans smtpd_helo_restrictions
		        reject_unknown_recipient_domain
		        #reject_non_fqdn_sender
		                # NOTE: dans smtpd_sender_restrictions
		        reject_unauth_pipelining
		                # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
		        permit_mynetworks
		        permit_tls_clientcerts
		        permit_sasl_authenticated
		        reject_unauth_destination
		                # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
		                #       ou quelqu'un pour lequel on tient lieu de backup_mx
		        check_policy_service inet:127.0.0.1:10023
		                # NOTE: Postgrey (greylisting)
		        check_policy_service unix:private/spfcheck
		        permit_auth_destination
		                # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
		                #       (voir permit_auth_destination) ; sans doute redondant
		        reject
		        #check_relay_domains <- removed from postfix
		        #reject_unknown_sender_domain
		                # aurait probablement été mieux dans smtpd_sender_restrictions
		        #reject_rbl_client bl.spamcop.net
		        #reject_rbl_client list.dsbl.org
		        #reject_rbl_client zen.spamhaus.org
		        #reject_rbl_client dnsbl.sorbs.net
		
		smtpd_data_restrictions                 =
		        reject_unauth_pipelining
		                # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
		        permit
		
		#smtpd_end_of_data_restrictions          =
		
		#smtpd_restriction_classes               =
		
		smtpd_error_sleep_time                  = 5
		        # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
		
		# SASL
		smtpd_sasl_auth_enable                  = yes
		smtpd_sasl_type                         = dovecot
		smtpd_sasl_path                         = private/auth
		smtpd_sasl_security_options             = noanonymous
		smtpd_sasl_domain                       = \$mydomain
		
		# SMTPD TLS
		smtpd_discard_ehlo_keywords             = starttls
		        # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
		        #       se mangent une erreur en tentant un starttls
		smtpd_tls_fingerprint_digest            = sha1
		        # sha512 ?
		smtpd_tls_mandatory_protocols           = TLSv1
		smtpd_tls_mandatory_ciphers             = high
		smtpd_tls_ciphers                       = high
		        # restrictif. s/high/medium/ ?
		smtpd_tls_CAfile                        = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
		smtpd_tls_CApath                        = /etc/postfix/\$mydomain/smtpd/tls/ca/
		smtpd_tls_cert_file                     = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
		smtpd_tls_key_file                      = /etc/postfix/\$mydomain/smtpd/tls/key.pem
		##
		#smtpd_tls_received_header               = no
		smtpd_tls_session_cache_database        =
		        btree:/var/lib/postfix/smtpd_tls_session_cache
		#smtpd_tls_session_cache_timeout         = 3600s
		smtpd_tls_security_level                = may
		        # Postfix 2.3 and later
		        # encrypt
		        #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
		        #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
		        #  SMTP server. Instead, this option should be used only on dedicated servers.
		smtpd_tls_loglevel                      = 1
		smtpd_tls_ccert_verifydepth             = 5
		smtpd_tls_auth_only                     = yes
		        # Pas d'AUTH SASL sans TLS
		smtpd_tls_ask_ccert                     = no
		smtpd_tls_req_ccert                     = no
		#smtpd_tls_always_issue_session_ids      = yes
		smtpd_peername_lookup                   = yes
		        # Nécessaire pour postgrey, etc
		smtpd_milters                           =
		non_smtpd_milters                       =
		line_length_limit                       = 2048
		queue_minfree                           = 0
		message_size_limit                      = 20480000
		#smtpd_enforce_tls    # NOTE: obsolète
		#smtpd_use_tls        # NOTE: obsolète
		#smtpd_tls_cipherlist # NOTE: obsolète
		
		readme_directory   = no
		#delay_warning_time = 4h
		        # NOTE: uncomment the previous line to generate "delayed mail" warnings
		#debug_peer_level   = 4
		#debug_peer_list    = .\$myhostname
		EOF
	mk_reg mod=0664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
		auth_ssl_username_from_cert = yes
		listen = *
		log_timestamp = "%Y-%m-%d %H:%M:%S "
		mail_debug = yes
		mail_location = maildir:~/var/mail
		mail_privileged_group = mail
		passdb {
		  args = /home/%u/etc/dovecot/passwd
		  driver = passwd-file
		}
		protocols = imap
		service auth {
		  unix_listener /var/spool/postfix/private/auth {
		    group = postfix
		    mode = 0660
		    user = postfix
		  }
		  user = root
		}
		ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
		ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
		ssl_cipher_list = AES256-SHA
		ssl_key = </etc/dovecot/imap/tls/key.pem
		ssl_verify_client_cert = yes
		userdb {
		  driver = passwd
		}
		verbose_ssl = yes
		protocol lda {
		  auth_socket_path = /var/run/dovecot/auth-master
		  hostname = $vm_domainname
		  info_log_path = /var/log/dovecot/lda/info.log
		  log_path = /var/log/dovecot/lda/error.log
		  mail_plugins = sieve
		  postmaster_address = contact+dovecot+lda@$vm_domainname
		}
		EOF
	mk_reg mod=0664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
		
		EOF
 }
rule_mail_install () {
	sudo apt-get install postfix postgrey dovecot
 }
rule_user_format () {
	mk_dir mod=0750 own="root:adm" /etc/skel/etc
	mk_dir mod=0770 own="root:adm" /etc/skel/etc/apache2
	mk_dir mod=0770 own="root:adm" /etc/skel/etc/ssh
	mk_dir mod=0700 own="root:adm" /etc/skel/var
	mk_dir mod=0700 own="root:adm" /etc/skel/var/log
	mk_dir mod=0700 own="root:adm" /etc/skel/var/cache
	mk_dir mod=0700 own="root:adm" /etc/skel/var/cache/ssh
	mk_dir mod=0700 own="root:adm" /etc/skel/tmp
	mk_dir mod=0700 own="root:adm" /etc/skel/tmp
	mk_reg mod=0664 own=root:root /etc/ssh/sshd_config <<-EOF
		ListenAddress $vm_ipv4
		#ListenAddress ::
		Port 22
		Protocol 2
		Compression yes
		HostKey /etc/ssh/ssh_host_rsa_key
		UsePrivilegeSeparation yes
		KeyRegenerationInterval 3600
		ServerKeyBits 768
		SyslogFacility AUTH
		LogLevel INFO
		LoginGraceTime 120
		PermitRootLogin no
		StrictModes yes
		RSAAuthentication yes
		PubkeyAuthentication yes
		AuthorizedKeysFile %h/etc/ssh/authorized_keys
		IgnoreRhosts yes
		RhostsRSAAuthentication no
		HostbasedAuthentication no
		IgnoreUserKnownHosts no
		PermitEmptyPasswords no
		ChallengeResponseAuthentication no
		PasswordAuthentication no
		KerberosAuthentication no
		GSSAPIAuthentication no
		X11Forwarding no
		X11DisplayOffset 10
		PrintMotd no
		DebianBanner no
		PrintLastLog yes
		TCPKeepAlive yes
		ClientAliveInterval 0
		AcceptEnv LANG LC_*
		Subsystem sftp /usr/lib/openssh/sftp-server
		UsePAM yes
		EOF
	mk_reg mod=0440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \
		  case \$(/usr/bin/passwd --status "\$SUDO_USER") in \
		    ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
		EOF
	mk_reg mod=0440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
		EOF
	mk_reg mod=0440 own=root:root /etc/sudoers.d/env_keep <<-EOF
		Defaults env_keep = " \
		  EDITOR \
		  GIT_AUTHOR_NAME \
		  GIT_AUTHOR_EMAIL \
		  GIT_COMMITTER_NAME \
		  GIT_COMMITTER_EMAIL \
		 "
		EOF
	mk_reg mod=0555 own=root:root /usr/local/sbin/passwd-init <<-EOF
		#!/bin/sh
		sudo /bin/sh -e -f -u -c \
		  'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
		EOF
 }
rule_kernel_init () {
	sudo apt-get install --reinstall linux-image-$vm_arch
 }

rule=${1:-help}
${1+shift}
set "${TRACE:+-x}"
rule_$rule "$@"