X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=ateliers_hosted;fp=ateliers_hosted;h=0000000000000000000000000000000000000000;hp=3359fb69f0bfef484977b14ca99d8e19c22fcff0;hb=1f1550e467bccfbac8a8f88b93db6355745794be;hpb=e58848826c6f91c60902c1a095407e1a5e2d1255 diff --git a/ateliers_hosted b/ateliers_hosted deleted file mode 100755 index 3359fb6..0000000 --- a/ateliers_hosted +++ /dev/null @@ -1,556 +0,0 @@ -#!/bin/sh -set -e -f ${DRY_RUN:+-n} -u -tool=${0%/*} -. "$tool"/env.sh -. "$tool"/inc.sh - -rule_help () { - cat >&2 <<-EOF - DESCRIPTION: ce script regroupe des fonctions utilitaires - pour gérer la VM des ateliers _depuis_ la VM hébergée ; - il sert à la fois d'outil et de documentation. - Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte. - SYNTAX: $0 \$RULE \${RULE}_SYNTAX - RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0") - ENVIRONMENT: - TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0") - EOF - } - -rule_filesystem_init () { - mk_reg mod= own= --append /etc/sysctl.conf <<-EOF - vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité - vm.vfs_cache_pressure=50 - EOF - } -rule_shell_source () { - . /etc/profile - } -rule_network_init () { - mk_reg mod= own= /etc/hostname <<-EOF - $vm - EOF - grep -q " $vm\$" /etc/hosts || - mk_reg mod= own= --append /etc/hosts <<-EOF - 127.0.0.1 $vm_fqdn $vm - EOF - mk_reg mod= own= /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - mtu 1300 # TODO: voir si c'est nécessaire à Lyon - up ip address add $vm_ipv4/32 dev \$IFACE - down ip address delete $vm_ipv4/32 dev \$IFACE - EOF - } -rule_apt_init () { - mk_reg mod= own= /etc/apt/sources.list <<-EOF - deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free - EOF - mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF - deb http://nightly.openerp.com/trunk/nightly/deb/ ./ - EOF - mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF - deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free - EOF - mk_reg mod= own= /etc/apt/preferences <<-EOF - Package: * - Pin: release a=$vm_lsb_name - Pin-Priority: 170 - - Package: * - Pin: release a=$vm_lsb_name-backports - Pin-Priority: 200 - EOF - } -rule_boot_init () { - mk_reg mod= own= /etc/fstab <<-EOF - # - LABEL=boot /boot ext2 defaults,no-auto 0 0 - proc /proc proc defaults 0 0 - sysfs /sys sysfs defaults 0 0 - tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0 - /dev/mapper/${vm}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1 - /dev/mapper/${vm}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1 - /dev/mapper/${vm}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0 - /dev/mapper/${vm}_swap_deciphered swap swap sw 0 0 - EOF - mk_reg mod= own= /etc/crypttab <<-EOF - # - ${vm}_root_deciphered LABEL=${vm}_root ${vm}_root luks - ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - EOF - mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF - #loop - sha1_generic - sha256_generic - sha512_generic - aes-x86_64 - xts - EOF - mk_reg mod= own= --append /etc/default/grub <<-EOF - GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 resume=/dev/mapper/${vm}_swap_deciphered" - EOF - } -rule_user_admin_add () { # SYNTAX: - admin=$1 - ! id "$admin" || adduser "$admin" - eval home="~$admin" - adduser "$admin" sudo - mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub - } -rule_user_mail_format () { - mk_dir mod=0770 own=root:adm /etc/skel/etc/procmail - mk_dir mod=0770 own=root:adm /etc/skel/var/mail - mk_dir mod=0770 own=root:adm /etc/skel/var/cache/procmail - mk_reg mod=0660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF - # vim: ft=procmail - - # NOTE: paramètres passés par postfix - SENDER=\$1 - RECIPIENT=\$2 - USER=\$3 - EXTENSION=\$4 - DOMAIN=\$5 - ORIGINAL_RECIPIENT=\$6 - - PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin" - MAILDIR="\$HOME/var/mail/" - DEFAULT="\$MAILDIR" - #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"` - LOGFILE="/dev/null" - LOGABSTRACT=all - LOGABSTRACT - VERBOSE - SHELL=/bin/sh - SHELLMETAS=&|<>~;?*%{} - - # DESCRIPTION: supprime les doublons en fonction du champ Message-Id - #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT" - #| formail -D 8192 "\$HOME/var/cache/procmail/msgid" - - # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward - EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"` - # NOTE: récupère l’adresse courriel dans le champ GECOS - FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'` - # NOTE: récupère l’expéditeur inscrit sur l’enveloppe - :0 - | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}" - - # DESCRIPTION: IMAP - #:0 - #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT" - - # DESCRIPTION: UUCP - #:0 - #| /usr/bin/uux \ - # -I "\$HOME/etc/uucp/uucp.cfg" \ - # --nouucico \ - # --notification=error \ - # --requestor "\$USER" \ - # - "\$USER!rmail" "(\$USER)" - EOF - mk_reg mod=0664 own=root:root /etc/postfix/main.cf <<-EOF - # /etc/postfix/main.cf - # SEE: http://postfix.traduc.org/index.php/TLS_README.html - - parent_domain_matches_subdomains = - #debug_peer_list - #fast_flush_domains - #mynetworks - #permit_mx_backup_networks - #qmqpd_authorized_clients - #smtpd_access_maps - mydomain = $vm_domainname - myorigin = \$mydomain - myhostname = $vm_hostname.\$mydomain - mail_name = \$myhostname - mydestination = - $vm_hostname - \$myhostname - \$myorigin - mynetworks = - 127.0.0.0/8 - #[::1]/128 - inet_protocols = ipv4 - # "all" to activate IPv6 - inet_interfaces = all - permit_mx_backup_networks = - - alias_database = - hash:/etc/aliases - # NOTE: fichier de hash contenant une table d’alias mail. - # Celle-ci est éditable dans /etc/aliases, puis (indispensable) - # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db - alias_maps = - hash:/etc/aliases - recipient_delimiter = + - # NOTE: séparateur entre le nom d’utilisateur - # et les extensions d’adresse (par défaut le signe +). - #virtual_alias_domains = - virtual_alias_maps = - hash:/etc/postfix/\$mydomain/virtual - # NOTE: do not specify virtual alias domain names in the main.cf - # mydestination or relay_domains configuration parameters. - # - # With a virtual alias domain, the Postfix SMTP server - # accepts mail for known-user@virtual-alias.domain, and - # rejects mail for unknown-user@virtual-alias.domain as - # undeliverable. - #relayhost = - relay_clientcerts = - hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts - relay_domains = - \$mydestination - # NOTE: ajouter les domaines pour lesquels on est backup MX ici, - # pas dans mydestination ou virtual_alias... - - maximal_queue_lifetime = 5d - - header_checks = - regexp:/etc/postfix/\$mydomain/header_checks - mime_header_checks = - nested_header_checks = - milter_header_checks = - body_checks = - - #content_filter = amavisfeed:[127.0.0.1]:10024 - #receive_override_options = no_address_mappings - # no_unknown_recipient_checks - # Do not try to reject unknown recipients (SMTP server only). - # This is typically specified AFTER an external content filter. - # no_address_mappings - # Disable canonical address mapping, virtual alias map expansion, - # address masquerading, and automatic BCC (blind carbon-copy) recipients. - # This is typically specified BEFORE an external content filter (eg. amavis). - # no_header_body_checks - # Disable header/body_checks. This is typically specified AFTER an external content filter. - # no_milters - # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. - #local_header_rewrite_clients = - transport_maps = - hash:/etc/postfix/\$mydomain/transport_maps - mailbox_command = - /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc" - mailbox_size_limit = 0 - biff = no - # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no). - append_dot_mydomain = no - # appending .domain is the MUA's job. - - #tls_random_source = - # dev:/dev/urandom - # Non-blocking - #tls_random_reseed_period = 3600s - #tls_random_exchange_name = - # \${data_directory}/prng_exch - # NOTE: à ne pas mettre dans la cage chroot - #tls_random_bytes = 32 - #tls_random_prng_update_period = 3600s - #tls_high_cipherlist = AES256-SHA - # NOTE: postconf(5) déconseille de changer ceci - - #smtp_cname_overrides_servername = no - smtp_connect_timeout = 60s - #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem - #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/ - #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem - #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem - #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site - # NOTE: déprécié en faveur de smtp_tls_policy_maps - smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy - smtp_tls_fingerprint_digest = sha1 - smtp_tls_scert_verifydepth = 5 - #smtp_tls_secure_cert_match = nexthop, dot-nexthop - #smtp_tls_verify_cert_match = hostname - #smtp_tls_note_starttls_offer = yes - smtp_tls_loglevel = 1 - smtp_tls_protocols = !SSLv2, !SSLv3 - # Only allow TLSv* - smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache - #smtp_tls_session_cache_timeout = 3600s - smtp_tls_security_level = may - smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks - smtp_body_checks = - smtp_mime_header_checks = - smtp_nested_header_checks = - - smtpd_starttls_timeout = 300s - smtpd_banner = - \$myhostname ESMTP \$mail_name (Debian/GNU) - - # Restrictions - smtpd_helo_required = yes - strict_rfc821_envelopes = yes - smtpd_authorized_xclient_hosts = 127.0.0.1 - # NOTE: utile pour tester les restrictions - - smtpd_helo_restrictions = - reject_invalid_helo_hostname - reject_non_fqdn_helo_hostname - #reject_unknown_helo_hostname - # NOTE: pourrait pourtant être utile pour lutter contre le spam - permit - - smtpd_sender_restrictions = - permit_mynetworks - permit_tls_clientcerts - permit_sasl_authenticated - check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access - check_sender_access hash:/etc/postfix/sender_blacklist - reject_unauth_pipelining - reject_non_fqdn_sender - #reject_unknown_sender_domain - # NOTE: temporaire - permit - - smtpd_client_new_tls_session_rate_limit = 0 - smtpd_client_event_limit_exceptions = \$mynetworks - smtpd_client_recipient_rate_limit = 0 - smtpd_client_connection_count_limit = 50 - smtpd_client_connection_rate_limit = 0 - smtpd_client_message_rate_limit = 0 - smtpd_client_port_logging = no - - smtpd_client_restrictions = - check_client_access hash:/etc/postfix/client_blacklist - - policy_time_limit = 3600 - default_extra_recipient_limit = 5000 - duplicate_filter_limit = 5000 - smtpd_recipient_limit = 5000 - smtpd_recipient_overshoot_limit = 5000 - smtpd_recipient_restrictions = - reject_non_fqdn_recipient - #reject_invalid_hostname - # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname - # dans smtpd_helo_restrictions - reject_unknown_recipient_domain - #reject_non_fqdn_sender - # NOTE: dans smtpd_sender_restrictions - reject_unauth_pipelining - # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions - permit_mynetworks - permit_tls_clientcerts - permit_sasl_authenticated - reject_unauth_destination - # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous - # ou quelqu'un pour lequel on tient lieu de backup_mx - check_policy_service inet:127.0.0.1:10023 - # NOTE: Postgrey (greylisting) - check_policy_service unix:private/spfcheck - permit_auth_destination - # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné - # (voir permit_auth_destination) ; sans doute redondant - reject - #check_relay_domains <- removed from postfix - #reject_unknown_sender_domain - # aurait probablement été mieux dans smtpd_sender_restrictions - #reject_rbl_client bl.spamcop.net - #reject_rbl_client list.dsbl.org - #reject_rbl_client zen.spamhaus.org - #reject_rbl_client dnsbl.sorbs.net - - smtpd_data_restrictions = - reject_unauth_pipelining - # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK - permit - - #smtpd_end_of_data_restrictions = - - #smtpd_restriction_classes = - - smtpd_error_sleep_time = 5 - # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes. - - # SASL - smtpd_sasl_auth_enable = yes - smtpd_sasl_type = dovecot - smtpd_sasl_path = private/auth - smtpd_sasl_security_options = noanonymous - smtpd_sasl_domain = \$mydomain - - # SMTPD TLS - smtpd_discard_ehlo_keywords = starttls - # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste - # se mangent une erreur en tentant un starttls - smtpd_tls_fingerprint_digest = sha1 - # sha512 ? - smtpd_tls_mandatory_protocols = TLSv1 - smtpd_tls_mandatory_ciphers = high - smtpd_tls_ciphers = high - # restrictif. s/high/medium/ ? - smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem - smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/ - smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem - smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem - ## - #smtpd_tls_received_header = no - smtpd_tls_session_cache_database = - btree:/var/lib/postfix/smtpd_tls_session_cache - #smtpd_tls_session_cache_timeout = 3600s - smtpd_tls_security_level = may - # Postfix 2.3 and later - # encrypt - # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS - # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced - # SMTP server. Instead, this option should be used only on dedicated servers. - smtpd_tls_loglevel = 1 - smtpd_tls_ccert_verifydepth = 5 - smtpd_tls_auth_only = yes - # Pas d'AUTH SASL sans TLS - smtpd_tls_ask_ccert = no - smtpd_tls_req_ccert = no - #smtpd_tls_always_issue_session_ids = yes - smtpd_peername_lookup = yes - # Nécessaire pour postgrey, etc - smtpd_milters = - non_smtpd_milters = - line_length_limit = 2048 - queue_minfree = 0 - message_size_limit = 20480000 - #smtpd_enforce_tls # NOTE: obsolète - #smtpd_use_tls # NOTE: obsolète - #smtpd_tls_cipherlist # NOTE: obsolète - - readme_directory = no - #delay_warning_time = 4h - # NOTE: uncomment the previous line to generate "delayed mail" warnings - #debug_peer_level = 4 - #debug_peer_list = .\$myhostname - EOF - mk_reg mod=0664 own=root:root /etc/dovecot/dovecot.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - protocols = imap - service auth { - unix_listener /var/spool/postfix/private/auth { - group = postfix - mode = 0660 - user = postfix - } - user = root - } - ssl_ca =