#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
. "$tool"/lib/functions.sh
. "$tool"/etc/vm.sh

rule_help () {
	cat >&2 <<-EOF
		DESCRIPTION: ce script regroupe des fonctions utilitaires
		             pour gérer la VM _depuis_ la VM hébergée ;
		             il sert à la fois d'outil et de documentation.
		             Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
		SYNTAX: $0 \$RULE \${RULE}_SYNTAX
		RULES:
		$(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
		ENVIRONMENT:
		  TRACE # affiche les commandes avant leur exécution
		$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
		EOF
 }

rule_git_reset () {
	(
	cd "$tool"
	git checkout -f -B master origin
	git clean -f -d -x
	)
 }

rule_chrooted () {
	export LANG=C
	export LC_CTYPE=C
	. /etc/profile
 }

rule__etckeeper_init () {
	mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
		VCS=git
		GIT_COMMIT_OPTIONS=""
		AVOID_DAILY_AUTOCOMMITS=1
		#AVOID_SPECIAL_FILE_WARNING=1
		#AVOID_COMMIT_BEFORE_INSTALL=1
		HIGHLEVEL_PACKAGE_MANAGER=apt
		LOWLEVEL_PACKAGE_MANAGER=dpkg
		EOF
 }
rule__locale_init () {
	mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
		fr_FR.UTF-8 UTF-8
		EOF
	sudo update-locale
 }
rule__network_init () {
	mk_reg mod= own= /etc/hostname <<-EOF
		$vm
		EOF
	grep -q " $vm\$" /etc/hosts ||
	mk_reg mod= own= --append /etc/hosts <<-EOF
		127.0.0.1 $vm_fqdn $vm
		EOF
	mk_reg mod= own= /etc/network/interfaces <<-EOF
		auto lo
		iface lo inet loopback
		
		auto eth0=grenode
		iface grenode inet static
		    address   $vm_ipv4
		    gateway   $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
		    network   $vm_ipv4
		    broadcast $vm_ipv4
		    netmask   255.255.255.255
		    mtu 1300 # TODO: voir si c'est nécessaire à Lyon
		    post-up   ip address add    $vm_ipv4/32 dev \$IFACE
		    pre-down  ip address delete $vm_ipv4/32 dev \$IFACE
		EOF
 }
rule__apt_init () {
	mk_reg mod= own= /etc/apt/sources.list <<-EOF
		deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
		deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/preferences <<-EOF
		Package: *
		Pin: release a=$vm_lsb_name
		Pin-Priority: 170
		
		Package: *
		Pin: release a=$vm_lsb_name-backports
		Pin-Priority: 200
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
		deb http://nightly.openerp.com/trunk/nightly/deb/ ./
		EOF
 }
rule__filesystem_init () {
	mk_reg mod=644 own=root:root /etc/fstab <<-EOF
		# <file system> <mount point> <type> <options> <dump> <pass>
		LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
		proc /proc proc defaults 0 0
		sysfs /sys sysfs defaults 0 0
		tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
		/dev/mapper/${vm_lvm_lv}_root_deciphered /     ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm_lvm_lv}_var_deciphered  /var  ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
		/dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
		EOF
	mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
		# <target name> <source device> <key file> <options>
		${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none                         luks,lvm=$vm_lvm_vg
		${vm_lvm_lv}_var_deciphered  /dev/$vm_lvm_vg/${vm_lvm_lv}_var  ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		EOF
	mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
		vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
		vm.vfs_cache_pressure=50
		EOF
 }
rule__login_init () {
	grep -q hvc0 /etc/securetty ||
	mk_reg mod= own= --append /etc/securetty <<-EOF
		hvc0
		EOF
	grep -q xvc0 /etc/securetty ||
	mk_reg mod= own= --append /etc/securetty <<-EOF
		xvc0
		EOF
	mk_reg mod=644 own=root:root /etc/inittab <<-EOF
		# /etc/inittab: init(8) configuration.
		
		# The default runlevel.
		id:2:initdefault:
		
		# Boot-time system configuration/initialization script.
		# This is run first except when booting in emergency (-b) mode.
		si::sysinit:/etc/init.d/rcS
		
		# What to do in single-user mode.
		~~:S:wait:/sbin/sulogin
		
		# /etc/init.d executes the S and K scripts upon change
		# of runlevel.
		#
		# Runlevel 0 is halt.
		# Runlevel 1 is single-user.
		# Runlevels 2-5 are multi-user.
		# Runlevel 6 is reboot.
		
		l0:0:wait:/etc/init.d/rc 0
		l1:1:wait:/etc/init.d/rc 1
		l2:2:wait:/etc/init.d/rc 2
		l3:3:wait:/etc/init.d/rc 3
		l4:4:wait:/etc/init.d/rc 4
		l5:5:wait:/etc/init.d/rc 5
		l6:6:wait:/etc/init.d/rc 6
		# Normally not reached, but fallthrough in case of emergency.
		z6:6:respawn:/sbin/sulogin
		
		# What to do when CTRL-ALT-DEL is pressed.
		ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
		
		# What to do when the power fails/returns.
		pf::powerwait:/etc/init.d/powerfail start
		pn::powerfailnow:/etc/init.d/powerfail now
		po::powerokwait:/etc/init.d/powerfail stop
		
		# Xen hypervisor console
		hvc:2345:respawn:/sbin/getty 38400 hvc0
		#xvc:2345:respawn:/sbin/getty 38400 xvc0
		EOF
	mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
		MAIL_DIR         /var/mail
		FAILLOG_ENAB     yes
		LOG_UNKFAIL_ENAB no
		LOG_OK_LOGINS    no
		SYSLOG_SU_ENAB   yes
		SYSLOG_SG_ENAB   yes
		FTMP_FILE        /var/log/btmp
		SU_NAME          su
		HUSHLOGIN_FILE   .hushlogin
		ENV_SUPATH       PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
		ENV_PATH         PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
		# NOTE: met les sbin/ dans ENV_PATH ;
		#  - ça n'apporte aucune protection de ne pas les mettre ;
		#  - ça frustre de ne pas les trouver.
		TTYGROUP         tty
		TTYPERM          0600
		ERASECHAR        0177
		KILLCHAR         025
		# NOTE: rwxrwx--- ;
		#  - donne une même confiance au groupe propriétaire qu'au propriétaire ;
		#  - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
		UMASK            007
		PASS_MAX_DAYS    99999
		PASS_MIN_DAYS    0
		PASS_WARN_AGE    7
		UID_MIN           1000
		UID_MAX          60000
		GID_MIN           1000
		GID_MAX          60000
		LOGIN_RETRIES    3
		LOGIN_TIMEOUT    60
		CHFN_RESTRICT    rwh
		DEFAULT_HOME     yes
		USERGROUPS_ENAB  yes
		ENCRYPT_METHOD   SHA512
		EOF
	grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
	mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
		session optional pam_umask.so
		EOF
 }
rule__user_root_init () {
	mk_dir mod=750 own=root:root /root/etc
	mk_dir mod=750 own=root:root /root/etc/ssh
	mk_dir mod=750 own=root:root /root/etc/gpg
	mk_lnk etc/gpg /root/.gnupg
	mk_lnk etc/ssh /root/.ssh
	getent group sudo |
	while IFS=: read -r group x x users
	 do while IFS=, read -r user
		 do eval local home\; home="~$user"
			cat "$home"/etc/ssh/authorized_keys
		 done <<-EOF
			$users
			EOF
	 done |
	mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
	sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
 }
rule__initramfs_init () {
	mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
		MODULES=most
		BUSYBOX=y
		KEYMAP=y
		COMPRESS=gzip
		DEVICE=eth0
		EOF
	mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
		alias eth0 xennet
		alias scsi_hostadapter xenblk
		EOF
	mk_reg mod=644 own=root:root /etc/modules <<-EOF
		sha1_generic
		sha256_generic
		sha512_generic
		aes-x86_64
		xts
		# NOTE: pour Xen en mode HVM :
		#modprobe xen-platform-pci
		EOF
	mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
		EOF
	sudo sed -e '/^configure_networking /s/ &$//' \
	 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
	 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
	sudo rm -f \
	 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
	 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
	 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
	 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
	#mk_reg mod=640 own=root:root </dev/null \
	# /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
	# /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
	ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
	( while IFS= read -r line
	 do case $line in (*" RSA") return 0; break;; esac
	 done; return 1 ) ||
	sudo dropbearkey -t rsa -s 4096 -f \
	 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
	ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
	( while IFS= read -r line
	 do case $line in (*" DSA") return 0; break;; esac
	 done; return 1 ) ||
	sudo dropbearkey -t dss -s 1024 -f \
	 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
	mk_dir mod=640 own=root:root \
	 /etc/initramfs-tools/root \
	 /etc/initramfs-tools/root/.ssh
	getent group sudo |
	while IFS=: read -r group x x users
	 do while IFS=, read -r user
		 do eval local home\; home="~$user"
			cat "$home"/etc/ssh/authorized_keys
		 done <<-EOF
			$users
			EOF
	 done |
	mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
	sudo rm -f \
	 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
	 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
	 /etc/initramfs-tools/root/.ssh/id_rsa
	 # NOTE: clefs générées par Debian
	sudo update-initramfs -u
 }
rule__boot_init () {
	sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
	mk_dir mod=644 own=root:root /boot/grub
	sudo apt-get install --reinstall linux-image-$vm_arch
	mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
		GRUB_DEFAULT=0
		GRUB_TIMEOUT=5
		GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
		GRUB_CMDLINE_LINUX_DEFAULT="quiet"
		GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
		GRUB_DISABLE_RECOVERY="true"
		#GRUB_PRELOAD_MODULES="lvm"
		EOF
	mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
		(hd0)   /dev/xvda
		(hd0)   /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
		EOF
	sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
	rule__initramfs_init
 }
rule__bin_init () {
	mk_lnk "$tool"/vm_hosted /usr/local/sbin/
 }
rule_init () {
	rule__etckeeper_init
	rule__locale_init
	rule__network_init
	rule__apt_init
	rule__filesystem_init
	rule__login_init
	rule__user_root_init
	rule__boot_init
	rule__bin_init
 }

rule_disk_key_change () {
	sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
 }

rule_user_init () {
	mk_dir mod=750 own="root:adm" /etc/skel/etc
	mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
	mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
	mk_dir mod=700 own="root:adm" /etc/skel/var
	mk_dir mod=700 own="root:adm" /etc/skel/var/log
	mk_dir mod=700 own="root:adm" /etc/skel/var/cache
	mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
	mk_dir mod=700 own="root:adm" /etc/skel/tmp
	mk_dir mod=700 own="root:adm" /etc/skel/tmp
	mk_lnk etc/ssh                /etc/skel/.ssh
	mk_lnk etc/gpg                /etc/skel/.gnupg
	ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
	( while IFS= read -r line
	 do case $line in (*" RSA") return 0; break;; esac
	 done; return 1 ) ||
	sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
	sudo rm -f \
	 /etc/ssh/ssh_host_dsa_key \
	 /etc/ssh/ssh_host_dsa_key.pub \
	 /etc/ssh/ssh_host_ecdsa_key \
	 /etc/ssh/ssh_host_ecdsa_key.pub
	 # NOTE: clefs générées par Debian
	mk_reg mod=664 own=root:root  /etc/ssh/sshd_config <<-EOF
		Port 22
		ListenAddress $vm_ipv4
		#ListenAddress ::
		Protocol 2
		Compression yes
		HostKey /etc/ssh/ssh_host_rsa_key
		UsePrivilegeSeparation yes
		KeyRegenerationInterval 3600
		ServerKeyBits 768
		SyslogFacility AUTH
		LogLevel INFO
		LoginGraceTime 120
		PermitRootLogin yes
		StrictModes yes
		RSAAuthentication yes
		PubkeyAuthentication yes
		AuthorizedKeysFile %h/etc/ssh/authorized_keys
		IgnoreRhosts yes
		RhostsRSAAuthentication no
		HostbasedAuthentication no
		IgnoreUserKnownHosts no
		PermitEmptyPasswords no
		ChallengeResponseAuthentication no
		PasswordAuthentication no
		KerberosAuthentication no
		GSSAPIAuthentication no
		X11Forwarding no
		X11DisplayOffset 10
		PrintMotd no
		DebianBanner no
		PrintLastLog yes
		TCPKeepAlive yes
		ClientAliveInterval 0
		AcceptEnv LANG LC_*
		Subsystem sftp /usr/lib/openssh/sftp-server
		UsePAM yes
		EOF
	sudo service ssh restart
	mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
		  case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
		    ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
		EOF
	mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
		EOF
	mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
		Defaults env_keep = " \\
		  EDITOR \\
		  GIT_AUTHOR_NAME \\
		  GIT_AUTHOR_EMAIL \\
		  GIT_COMMITTER_NAME \\
		  GIT_COMMITTER_EMAIL \\
		 "
		EOF
	mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
		#!/bin/sh
		sudo /bin/sh -e -f -u -c \
		  'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
		EOF
 }
rule_user_admin_add () { # SYNTAX: $user
	local user=$1
	id "$user" >/dev/null ||
	sudo adduser --disabled-password "$user"
		# NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
	eval local home\; home="~$user"
	sudo adduser "$user" sudo
	ssh_key_add user=$user "$tool"/var/pub/ssh/"$user".key "$home"/etc/ssh/authorized_keys
	rule__initramfs_init
	rule__user_root_init
	sudo gpg --import "$tool"/var/pub/opengpg/"$user".key
 }
rule_user_mail_format () {
	mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
	mk_dir mod=770 own=root:adm /etc/skel/var/mail
	mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
	mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
		# vim: ft=procmail
		
		# NOTE: paramètres passés par postfix
		SENDER=\$1
		RECIPIENT=\$2
		USER=\$3
		EXTENSION=\$4
		DOMAIN=\$5
		ORIGINAL_RECIPIENT=\$6
		
		PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
		MAILDIR="\$HOME/var/mail/"
		DEFAULT="\$MAILDIR"
		#LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
		LOGFILE="/dev/null"
		LOGABSTRACT=all
		LOGABSTRACT
		VERBOSE
		SHELL=/bin/sh
		SHELLMETAS=&|<>~;?*%{}
		
		# DESCRIPTION: supprime les doublons en fonction du champ Message-Id
		#:0 Wh:            "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
		#| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
		
		# DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
		EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
		 # NOTE: récupère l’adresse courriel dans le champ GECOS
		FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
		 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
		:0
		| \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
		
		# DESCRIPTION: IMAP
		#:0
		#| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
		
		# DESCRIPTION: UUCP
		#:0
		#| /usr/bin/uux \
		# -I "\$HOME/etc/uucp/uucp.cfg" \
		# --nouucico \
		# --notification=error \
		# --requestor "\$USER" \
		# - "\$USER!rmail" "(\$USER)"
		EOF
	mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
		# /etc/postfix/main.cf
		# SEE: http://postfix.traduc.org/index.php/TLS_README.html
		
		parent_domain_matches_subdomains =
		        #debug_peer_list
		        #fast_flush_domains
		        #mynetworks
		        #permit_mx_backup_networks
		        #qmqpd_authorized_clients
		        #smtpd_access_maps
		mydomain                         = $vm_domainname
		myorigin                         = \$mydomain
		myhostname                       = $vm_hostname.\$mydomain
		mail_name                        = \$myhostname
		mydestination                    =
		        $vm_hostname
		        \$myhostname
		        \$myorigin
		mynetworks                       =
		        127.0.0.0/8
		        #[::1]/128
		inet_protocols = ipv4
		        # "all" to activate IPv6
		inet_interfaces                  = all
		permit_mx_backup_networks        =
		
		alias_database         =
		        hash:/etc/aliases
		        # NOTE: fichier de hash contenant une table d’alias mail.
		        #       Celle-ci est éditable dans /etc/aliases, puis (indispensable)
		        #       regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
		alias_maps             =
		        hash:/etc/aliases
		recipient_delimiter    = +
		        # NOTE: séparateur entre le nom d’utilisateur
		        #       et les extensions d’adresse (par défaut le signe +).
		#virtual_alias_domains  =
		virtual_alias_maps     =
		        hash:/etc/postfix/\$mydomain/virtual
		        # NOTE: do not specify virtual alias domain names in  the  main.cf
		        #       mydestination or relay_domains configuration parameters.
		        #
		        # With  a  virtual  alias  domain,  the  Postfix SMTP server
		        # accepts  mail  for  known-user@virtual-alias.domain,   and
		        # rejects   mail  for  unknown-user@virtual-alias.domain  as
		        # undeliverable.
		#relayhost              =
		relay_clientcerts      =
		        hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
		relay_domains          =
		        \$mydestination
		                # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
		                #       pas dans mydestination ou virtual_alias...
		
		maximal_queue_lifetime = 5d
		
		header_checks        =
		        regexp:/etc/postfix/\$mydomain/header_checks
		mime_header_checks   =
		nested_header_checks =
		milter_header_checks =
		body_checks          =
		
		#content_filter               = amavisfeed:[127.0.0.1]:10024
		#receive_override_options     = no_address_mappings
		        # no_unknown_recipient_checks
		        #         Do not try to reject unknown recipients (SMTP server only).
		        #         This is typically specified AFTER an external content filter.
		        # no_address_mappings
		        #         Disable canonical address mapping, virtual alias map expansion,
		        #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
		        #         This is typically specified BEFORE an external content filter (eg. amavis).
		        # no_header_body_checks
		        #         Disable header/body_checks. This is typically specified AFTER an external content filter.
		        # no_milters
		        #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
		#local_header_rewrite_clients =
		transport_maps                =
		        hash:/etc/postfix/\$mydomain/transport_maps
		mailbox_command               =
		        /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
		mailbox_size_limit            = 0
		biff                          = no
		        # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
		append_dot_mydomain           = no
		        # appending .domain is the MUA's job.
		
		#tls_random_source             =
		#       dev:/dev/urandom
		        # Non-blocking
		#tls_random_reseed_period      = 3600s
		#tls_random_exchange_name      =
		#       \${data_directory}/prng_exch
		        # NOTE: à ne pas mettre dans la cage chroot
		#tls_random_bytes              = 32
		#tls_random_prng_update_period = 3600s
		#tls_high_cipherlist           = AES256-SHA
		        # NOTE: postconf(5) déconseille de changer ceci
		
		#smtp_cname_overrides_servername = no
		smtp_connect_timeout            = 60s
		#smtp_tls_CAfile                 = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
		#smtp_tls_CApath                 = /etc/postfix/\$mydomain/smtp/tls/ca/
		#smtp_tls_cert_file              = /etc/postfix/\$mydomain/smtp/tls/crt.pem
		#smtp_tls_key_file               = /etc/postfix/\$mydomain/smtp/tls/key.pem
		#smtp_tls_per_site               = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
		        # NOTE: déprécié en faveur de smtp_tls_policy_maps
		smtp_tls_policy_maps            = hash:/etc/postfix/\$mydomain/smtp/tls/policy
		smtp_tls_fingerprint_digest     = sha1
		smtp_tls_scert_verifydepth      = 5
		#smtp_tls_secure_cert_match      = nexthop, dot-nexthop
		#smtp_tls_verify_cert_match      = hostname
		#smtp_tls_note_starttls_offer    = yes
		smtp_tls_loglevel               = 1
		smtp_tls_protocols              = !SSLv2, !SSLv3
		        # Only allow TLSv*
		smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
		#smtp_tls_session_cache_timeout  = 3600s
		smtp_tls_security_level         = may
		smtp_header_checks              = regexp:/etc/postfix/\$mydomain/smtp/header_checks
		smtp_body_checks                =
		smtp_mime_header_checks         =
		smtp_nested_header_checks       =
		
		smtpd_starttls_timeout                  = 300s
		smtpd_banner                            =
		 \$myhostname ESMTP \$mail_name (Debian/GNU)
		
		# Restrictions
		smtpd_helo_required             = yes
		strict_rfc821_envelopes         = yes
		smtpd_authorized_xclient_hosts  = 127.0.0.1
		        # NOTE: utile pour tester les restrictions
		
		smtpd_helo_restrictions         =
		        reject_invalid_helo_hostname
		        reject_non_fqdn_helo_hostname
		        #reject_unknown_helo_hostname
		                # NOTE: pourrait pourtant être utile pour lutter contre le spam
		        permit
		
		smtpd_sender_restrictions       =
		        permit_mynetworks
		        permit_tls_clientcerts
		        permit_sasl_authenticated
		        check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
		        check_sender_access hash:/etc/postfix/sender_blacklist
		        reject_unauth_pipelining
		        reject_non_fqdn_sender
		        #reject_unknown_sender_domain
		                # NOTE: temporaire
		        permit
		
		smtpd_client_new_tls_session_rate_limit = 0
		smtpd_client_event_limit_exceptions     = \$mynetworks
		smtpd_client_recipient_rate_limit       = 0
		smtpd_client_connection_count_limit     = 50
		smtpd_client_connection_rate_limit      = 0
		smtpd_client_message_rate_limit         = 0
		smtpd_client_port_logging               = no
		
		smtpd_client_restrictions               =
		        check_client_access hash:/etc/postfix/client_blacklist
		
		policy_time_limit                       = 3600
		default_extra_recipient_limit           = 5000
		duplicate_filter_limit                  = 5000
		smtpd_recipient_limit                   = 5000
		smtpd_recipient_overshoot_limit         = 5000
		smtpd_recipient_restrictions            =
		        reject_non_fqdn_recipient
		        #reject_invalid_hostname
		                # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
		                #       dans smtpd_helo_restrictions
		        reject_unknown_recipient_domain
		        #reject_non_fqdn_sender
		                # NOTE: dans smtpd_sender_restrictions
		        reject_unauth_pipelining
		                # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
		        permit_mynetworks
		        permit_tls_clientcerts
		        permit_sasl_authenticated
		        reject_unauth_destination
		                # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
		                #       ou quelqu'un pour lequel on tient lieu de backup_mx
		        check_policy_service inet:127.0.0.1:10023
		                # NOTE: Postgrey (greylisting)
		        check_policy_service unix:private/spfcheck
		        permit_auth_destination
		                # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
		                #       (voir permit_auth_destination) ; sans doute redondant
		        reject
		        #check_relay_domains <- removed from postfix
		        #reject_unknown_sender_domain
		                # aurait probablement été mieux dans smtpd_sender_restrictions
		        #reject_rbl_client bl.spamcop.net
		        #reject_rbl_client list.dsbl.org
		        #reject_rbl_client zen.spamhaus.org
		        #reject_rbl_client dnsbl.sorbs.net
		
		smtpd_data_restrictions                 =
		        reject_unauth_pipelining
		                # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
		        permit
		
		#smtpd_end_of_data_restrictions          =
		
		#smtpd_restriction_classes               =
		
		smtpd_error_sleep_time                  = 5
		        # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
		
		# SASL
		smtpd_sasl_auth_enable                  = yes
		smtpd_sasl_type                         = dovecot
		smtpd_sasl_path                         = private/auth
		smtpd_sasl_security_options             = noanonymous
		smtpd_sasl_domain                       = \$mydomain
		
		# SMTPD TLS
		smtpd_discard_ehlo_keywords             = starttls
		        # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
		        #       se mangent une erreur en tentant un starttls
		smtpd_tls_fingerprint_digest            = sha1
		        # sha512 ?
		smtpd_tls_mandatory_protocols           = TLSv1
		smtpd_tls_mandatory_ciphers             = high
		smtpd_tls_ciphers                       = high
		        # restrictif. s/high/medium/ ?
		smtpd_tls_CAfile                        = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
		smtpd_tls_CApath                        = /etc/postfix/\$mydomain/smtpd/tls/ca/
		smtpd_tls_cert_file                     = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
		smtpd_tls_key_file                      = /etc/postfix/\$mydomain/smtpd/tls/key.pem
		##
		#smtpd_tls_received_header               = no
		smtpd_tls_session_cache_database        =
		        btree:/var/lib/postfix/smtpd_tls_session_cache
		#smtpd_tls_session_cache_timeout         = 3600s
		smtpd_tls_security_level                = may
		        # Postfix 2.3 and later
		        # encrypt
		        #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
		        #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
		        #  SMTP server. Instead, this option should be used only on dedicated servers.
		smtpd_tls_loglevel                      = 1
		smtpd_tls_ccert_verifydepth             = 5
		smtpd_tls_auth_only                     = yes
		        # Pas d'AUTH SASL sans TLS
		smtpd_tls_ask_ccert                     = no
		smtpd_tls_req_ccert                     = no
		#smtpd_tls_always_issue_session_ids      = yes
		smtpd_peername_lookup                   = yes
		        # Nécessaire pour postgrey, etc
		smtpd_milters                           =
		non_smtpd_milters                       =
		line_length_limit                       = 2048
		queue_minfree                           = 0
		message_size_limit                      = 20480000
		#smtpd_enforce_tls    # NOTE: obsolète
		#smtpd_use_tls        # NOTE: obsolète
		#smtpd_tls_cipherlist # NOTE: obsolète
		
		readme_directory   = no
		#delay_warning_time = 4h
		        # NOTE: uncomment the previous line to generate "delayed mail" warnings
		#debug_peer_level   = 4
		#debug_peer_list    = .\$myhostname
		EOF
	mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
		auth_ssl_username_from_cert = yes
		listen = *
		log_timestamp = "%Y-%m-%d %H:%M:%S "
		mail_debug = yes
		mail_location = maildir:~/var/mail
		mail_privileged_group = mail
		passdb {
		  args = /home/%u/etc/dovecot/passwd
		  driver = passwd-file
		}
		protocols = imap
		service auth {
		  unix_listener /var/spool/postfix/private/auth {
		    group = postfix
		    mode = 0660
		    user = postfix
		  }
		  user = root
		}
		ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
		ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
		ssl_cipher_list = AES256-SHA
		ssl_key = </etc/dovecot/imap/tls/key.pem
		ssl_verify_client_cert = yes
		userdb {
		  driver = passwd
		}
		verbose_ssl = yes
		protocol lda {
		  auth_socket_path = /var/run/dovecot/auth-master
		  hostname = $vm_domainname
		  info_log_path = /var/log/dovecot/lda/info.log
		  log_path = /var/log/dovecot/lda/error.log
		  mail_plugins = sieve
		  postmaster_address = contact+dovecot+lda@$vm_domainname
		}
		EOF
	mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
		EOF
 }
rule_mail_install () {
	sudo apt-get install postfix postgrey dovecot
 }

rule=${1:-help}
${1+shift}
case $rule in
 (help);;
 (*)
	test "$(hostname --fqdn)" = "$vm_fqdn"
	set "${TRACE:+-x}"
	;;
 esac
rule_$rule "$@"