#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u ${TRACE:+-x}
+set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
. "$tool"/env.sh
. "$tool"/inc.sh
Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte.
SYNTAX: $0 \$RULE \${RULE}_SYNTAX
RULES:
- $(sed -ne 's/^rule_\([^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
+ $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0")
ENVIRONMENT:
- $(sed -ne 's/^readonly \([^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
+ TRACE # affiche les commandes avant leur exécution
+ $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
EOF
}
-rule_filesystem_mount () {
- mountpoint /proc ||
- mount -t proc proc /proc
- mountpoint /sys ||
- mount -t sysfs sys /sys
- mountpoint /dev
- }
-rule_filesystem_unmount () {
- ! mountpoint /proc ||
- umount /proc
- ! mountpoint /sys ||
- umount /sys
+rule_filesystem_init () {
+ mk_reg mod= own= --append /etc/sysctl.conf <<-EOF
+ vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
+ vm.vfs_cache_pressure=50
+ EOF
}
rule_shell_source () {
. /etc/profile
EOF
grep -q " $vm\$" /etc/hosts ||
mk_reg mod= own= --append /etc/hosts <<-EOF
- 127.0.0.1 $vm.local $vm
+ 127.0.0.1 $vm_fqdn $vm
EOF
mk_reg mod= own= /etc/network/interfaces <<-EOF
auto lo
mk_reg mod= own= /etc/crypttab <<-EOF
# <target name> <source device> <key file> <options>
${vm}_root_deciphered LABEL=${vm}_root ${vm}_root luks
- ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
- ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
- ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
EOF
mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF
#loop
aes-x86_64
xts
EOF
- sed -i /etc/default/grub -e '/^GRUB_CMDLINE_LINUX=/d;r/dev/fd/3' 3<<-EOF
+ mk_reg mod= own= --append /etc/default/grub <<-EOF
GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 resume=/dev/mapper/${vm}_swap_deciphered"
EOF
}
! id "$admin" || adduser "$admin"
eval home="~$admin"
adduser "$admin" sudo
- mk_dir mod=0750 own="$admin:$admin" "$home"/etc
- mk_dir mod=0700 own="$admin:$admin" "$home"/etc/ssh
mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub
}
-rule_users_init () {
+rule_user_mail_format () {
+ mk_dir mod=0770 own=root:adm /etc/skel/etc/procmail
+ mk_dir mod=0770 own=root:adm /etc/skel/var/mail
+ mk_dir mod=0770 own=root:adm /etc/skel/var/cache/procmail
+ mk_reg mod=0660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
+ # vim: ft=procmail
+
+ # NOTE: paramètres passés par postfix
+ SENDER=\$1
+ RECIPIENT=\$2
+ USER=\$3
+ EXTENSION=\$4
+ DOMAIN=\$5
+ ORIGINAL_RECIPIENT=\$6
+
+ PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
+ MAILDIR="\$HOME/var/mail/"
+ DEFAULT="\$MAILDIR"
+ #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
+ LOGFILE="/dev/null"
+ LOGABSTRACT=all
+ LOGABSTRACT
+ VERBOSE
+ SHELL=/bin/sh
+ SHELLMETAS=&|<>~;?*%{}
+
+ # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
+ #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
+ #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
+
+ # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
+ EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
+ # NOTE: récupère l’adresse courriel dans le champ GECOS
+ FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
+ # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
+ :0
+ | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
+
+ # DESCRIPTION: IMAP
+ #:0
+ #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
+
+ # DESCRIPTION: UUCP
+ #:0
+ #| /usr/bin/uux \
+ # -I "\$HOME/etc/uucp/uucp.cfg" \
+ # --nouucico \
+ # --notification=error \
+ # --requestor "\$USER" \
+ # - "\$USER!rmail" "(\$USER)"
+ EOF
+ mk_reg mod=0664 own=root:root /etc/postfix/main.cf <<-EOF
+ # /etc/postfix/main.cf
+ # SEE: http://postfix.traduc.org/index.php/TLS_README.html
+
+ parent_domain_matches_subdomains =
+ #debug_peer_list
+ #fast_flush_domains
+ #mynetworks
+ #permit_mx_backup_networks
+ #qmqpd_authorized_clients
+ #smtpd_access_maps
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination =
+ $vm_hostname
+ \$myhostname
+ \$myorigin
+ mynetworks =
+ 127.0.0.0/8
+ #[::1]/128
+ inet_protocols = ipv4
+ # "all" to activate IPv6
+ inet_interfaces = all
+ permit_mx_backup_networks =
+
+ alias_database =
+ hash:/etc/aliases
+ # NOTE: fichier de hash contenant une table d’alias mail.
+ # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
+ # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
+ alias_maps =
+ hash:/etc/aliases
+ recipient_delimiter = +
+ # NOTE: séparateur entre le nom d’utilisateur
+ # et les extensions d’adresse (par défaut le signe +).
+ #virtual_alias_domains =
+ virtual_alias_maps =
+ hash:/etc/postfix/\$mydomain/virtual
+ # NOTE: do not specify virtual alias domain names in the main.cf
+ # mydestination or relay_domains configuration parameters.
+ #
+ # With a virtual alias domain, the Postfix SMTP server
+ # accepts mail for known-user@virtual-alias.domain, and
+ # rejects mail for unknown-user@virtual-alias.domain as
+ # undeliverable.
+ #relayhost =
+ relay_clientcerts =
+ hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
+ relay_domains =
+ \$mydestination
+ # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
+ # pas dans mydestination ou virtual_alias...
+
+ maximal_queue_lifetime = 5d
+
+ header_checks =
+ regexp:/etc/postfix/\$mydomain/header_checks
+ mime_header_checks =
+ nested_header_checks =
+ milter_header_checks =
+ body_checks =
+
+ #content_filter = amavisfeed:[127.0.0.1]:10024
+ #receive_override_options = no_address_mappings
+ # no_unknown_recipient_checks
+ # Do not try to reject unknown recipients (SMTP server only).
+ # This is typically specified AFTER an external content filter.
+ # no_address_mappings
+ # Disable canonical address mapping, virtual alias map expansion,
+ # address masquerading, and automatic BCC (blind carbon-copy) recipients.
+ # This is typically specified BEFORE an external content filter (eg. amavis).
+ # no_header_body_checks
+ # Disable header/body_checks. This is typically specified AFTER an external content filter.
+ # no_milters
+ # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
+ #local_header_rewrite_clients =
+ transport_maps =
+ hash:/etc/postfix/\$mydomain/transport_maps
+ mailbox_command =
+ /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
+ mailbox_size_limit = 0
+ biff = no
+ # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
+ append_dot_mydomain = no
+ # appending .domain is the MUA's job.
+
+ #tls_random_source =
+ # dev:/dev/urandom
+ # Non-blocking
+ #tls_random_reseed_period = 3600s
+ #tls_random_exchange_name =
+ # \${data_directory}/prng_exch
+ # NOTE: à ne pas mettre dans la cage chroot
+ #tls_random_bytes = 32
+ #tls_random_prng_update_period = 3600s
+ #tls_high_cipherlist = AES256-SHA
+ # NOTE: postconf(5) déconseille de changer ceci
+
+ #smtp_cname_overrides_servername = no
+ smtp_connect_timeout = 60s
+ #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
+ #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
+ #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
+ #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
+ #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
+ # NOTE: déprécié en faveur de smtp_tls_policy_maps
+ smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
+ smtp_tls_fingerprint_digest = sha1
+ smtp_tls_scert_verifydepth = 5
+ #smtp_tls_secure_cert_match = nexthop, dot-nexthop
+ #smtp_tls_verify_cert_match = hostname
+ #smtp_tls_note_starttls_offer = yes
+ smtp_tls_loglevel = 1
+ smtp_tls_protocols = !SSLv2, !SSLv3
+ # Only allow TLSv*
+ smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+ #smtp_tls_session_cache_timeout = 3600s
+ smtp_tls_security_level = may
+ smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
+ smtp_body_checks =
+ smtp_mime_header_checks =
+ smtp_nested_header_checks =
+
+ smtpd_starttls_timeout = 300s
+ smtpd_banner =
+ \$myhostname ESMTP \$mail_name (Debian/GNU)
+
+ # Restrictions
+ smtpd_helo_required = yes
+ strict_rfc821_envelopes = yes
+ smtpd_authorized_xclient_hosts = 127.0.0.1
+ # NOTE: utile pour tester les restrictions
+
+ smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+ reject_non_fqdn_helo_hostname
+ #reject_unknown_helo_hostname
+ # NOTE: pourrait pourtant être utile pour lutter contre le spam
+ permit
+
+ smtpd_sender_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
+ check_sender_access hash:/etc/postfix/sender_blacklist
+ reject_unauth_pipelining
+ reject_non_fqdn_sender
+ #reject_unknown_sender_domain
+ # NOTE: temporaire
+ permit
+
+ smtpd_client_new_tls_session_rate_limit = 0
+ smtpd_client_event_limit_exceptions = \$mynetworks
+ smtpd_client_recipient_rate_limit = 0
+ smtpd_client_connection_count_limit = 50
+ smtpd_client_connection_rate_limit = 0
+ smtpd_client_message_rate_limit = 0
+ smtpd_client_port_logging = no
+
+ smtpd_client_restrictions =
+ check_client_access hash:/etc/postfix/client_blacklist
+
+ policy_time_limit = 3600
+ default_extra_recipient_limit = 5000
+ duplicate_filter_limit = 5000
+ smtpd_recipient_limit = 5000
+ smtpd_recipient_overshoot_limit = 5000
+ smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+ #reject_invalid_hostname
+ # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
+ # dans smtpd_helo_restrictions
+ reject_unknown_recipient_domain
+ #reject_non_fqdn_sender
+ # NOTE: dans smtpd_sender_restrictions
+ reject_unauth_pipelining
+ # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ reject_unauth_destination
+ # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
+ # ou quelqu'un pour lequel on tient lieu de backup_mx
+ check_policy_service inet:127.0.0.1:10023
+ # NOTE: Postgrey (greylisting)
+ check_policy_service unix:private/spfcheck
+ permit_auth_destination
+ # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
+ # (voir permit_auth_destination) ; sans doute redondant
+ reject
+ #check_relay_domains <- removed from postfix
+ #reject_unknown_sender_domain
+ # aurait probablement été mieux dans smtpd_sender_restrictions
+ #reject_rbl_client bl.spamcop.net
+ #reject_rbl_client list.dsbl.org
+ #reject_rbl_client zen.spamhaus.org
+ #reject_rbl_client dnsbl.sorbs.net
+
+ smtpd_data_restrictions =
+ reject_unauth_pipelining
+ # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
+ permit
+
+ #smtpd_end_of_data_restrictions =
+
+ #smtpd_restriction_classes =
+
+ smtpd_error_sleep_time = 5
+ # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
+
+ # SASL
+ smtpd_sasl_auth_enable = yes
+ smtpd_sasl_type = dovecot
+ smtpd_sasl_path = private/auth
+ smtpd_sasl_security_options = noanonymous
+ smtpd_sasl_domain = \$mydomain
+
+ # SMTPD TLS
+ smtpd_discard_ehlo_keywords = starttls
+ # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
+ # se mangent une erreur en tentant un starttls
+ smtpd_tls_fingerprint_digest = sha1
+ # sha512 ?
+ smtpd_tls_mandatory_protocols = TLSv1
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_ciphers = high
+ # restrictif. s/high/medium/ ?
+ smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
+ smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
+ smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
+ smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
+ ##
+ #smtpd_tls_received_header = no
+ smtpd_tls_session_cache_database =
+ btree:/var/lib/postfix/smtpd_tls_session_cache
+ #smtpd_tls_session_cache_timeout = 3600s
+ smtpd_tls_security_level = may
+ # Postfix 2.3 and later
+ # encrypt
+ # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
+ # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+ # SMTP server. Instead, this option should be used only on dedicated servers.
+ smtpd_tls_loglevel = 1
+ smtpd_tls_ccert_verifydepth = 5
+ smtpd_tls_auth_only = yes
+ # Pas d'AUTH SASL sans TLS
+ smtpd_tls_ask_ccert = no
+ smtpd_tls_req_ccert = no
+ #smtpd_tls_always_issue_session_ids = yes
+ smtpd_peername_lookup = yes
+ # Nécessaire pour postgrey, etc
+ smtpd_milters =
+ non_smtpd_milters =
+ line_length_limit = 2048
+ queue_minfree = 0
+ message_size_limit = 20480000
+ #smtpd_enforce_tls # NOTE: obsolète
+ #smtpd_use_tls # NOTE: obsolète
+ #smtpd_tls_cipherlist # NOTE: obsolète
+
+ readme_directory = no
+ #delay_warning_time = 4h
+ # NOTE: uncomment the previous line to generate "delayed mail" warnings
+ #debug_peer_level = 4
+ #debug_peer_list = .\$myhostname
+ EOF
+ mk_reg mod=0664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
+ auth_ssl_username_from_cert = yes
+ listen = *
+ log_timestamp = "%Y-%m-%d %H:%M:%S "
+ mail_debug = yes
+ mail_location = maildir:~/var/mail
+ mail_privileged_group = mail
+ passdb {
+ args = /home/%u/etc/dovecot/passwd
+ driver = passwd-file
+ }
+ protocols = imap
+ service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ group = postfix
+ mode = 0660
+ user = postfix
+ }
+ user = root
+ }
+ ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cipher_list = AES256-SHA
+ ssl_key = </etc/dovecot/imap/tls/key.pem
+ ssl_verify_client_cert = yes
+ userdb {
+ driver = passwd
+ }
+ verbose_ssl = yes
+ protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ hostname = $vm_domainname
+ info_log_path = /var/log/dovecot/lda/info.log
+ log_path = /var/log/dovecot/lda/error.log
+ mail_plugins = sieve
+ postmaster_address = contact+dovecot+lda@$vm_domainname
+ }
+ EOF
+ mk_reg mod=0664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
+
+ EOF
+ }
+rule_mail_install () {
+ sudo apt-get install postfix postgrey dovecot
+ }
+rule_user_format () {
+ mk_dir mod=0750 own="root:adm" /etc/skel/etc
+ mk_dir mod=0770 own="root:adm" /etc/skel/etc/apache2
+ mk_dir mod=0770 own="root:adm" /etc/skel/etc/ssh
+ mk_dir mod=0700 own="root:adm" /etc/skel/var
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/log
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/cache
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/cache/ssh
+ mk_dir mod=0700 own="root:adm" /etc/skel/tmp
+ mk_dir mod=0700 own="root:adm" /etc/skel/tmp
mk_reg mod=0664 own=root:root /etc/ssh/sshd_config <<-EOF
ListenAddress $vm_ipv4
#ListenAddress ::
mk_reg mod=0440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
%sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
EOF
+ mk_reg mod=0440 own=root:root /etc/sudoers.d/env_keep <<-EOF
+ Defaults env_keep = " \
+ EDITOR \
+ GIT_AUTHOR_NAME \
+ GIT_AUTHOR_EMAIL \
+ GIT_COMMITTER_NAME \
+ GIT_COMMITTER_EMAIL \
+ "
+ EOF
mk_reg mod=0555 own=root:root /usr/local/sbin/passwd-init <<-EOF
#!/bin/sh
sudo /bin/sh -e -f -u -c \
rule=${1:-help}
${1+shift}
+set "${TRACE:+-x}"
rule_$rule "$@"
dépôts / lhc / ateliers.git / blobdiff