From e58848826c6f91c60902c1a095407e1a5e2d1255 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 14 Feb 2013 23:52:31 +0100 Subject: [PATCH] Modification : ateliers_host : continue LVM. --- ateliers_host | 104 ++++++++----- ateliers_hosted | 399 ++++++++++++++++++++++++++++++++++++++++++++++-- env.sh | 21 ++- inc.sh | 4 +- workflow.txt | 9 ++ 5 files changed, 483 insertions(+), 54 deletions(-) create mode 100644 workflow.txt diff --git a/ateliers_host b/ateliers_host index f671a97..46ef940 100755 --- a/ateliers_host +++ b/ateliers_host @@ -3,6 +3,7 @@ set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} . "$tool"/env.sh +. "$tool"/inc.sh rule_help () { cat >&2 <<-EOF @@ -12,14 +13,14 @@ rule_help () { Voir \`$tool/ateliers_hosted' pour les utilitaires côté VM hébergée. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0") EOF } -readonly vm_dev_disk="/dev/xvda" +readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g') readonly vm_dev_disk_boot="${vm_dev_disk}1" rule_xen_config_init () { @@ -62,8 +63,8 @@ rule_xen_off () { } rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte - sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w - # NOTE: on pourrait utiliser kpartx à la place je pense ; détail. + sudo kpartx -a -v /dev/domU/$vm_fqdn-disk + #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w } rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte rule_part_boot_umount @@ -78,27 +79,32 @@ rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôt ;; (*) exit 1;; esac - sudo xm block-detach 0 $vm_dev_disk + sudo kpartx -d -v /dev/domU/$vm_fqdn-disk + #sudo xm block-detach 0 $vm_dev_disk + # XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé : + # utiliser xm block-detach 0 $vm_dev_disk --force ; + # ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ; + # ôter les mappages concernés dans /etc/lvm/cache/.cache, + # et pour bien trouver tous les mappages : + # % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk + # enfin, ôter l'éventuel verrou dans /var/lock/lvm/ } case $vm_use_lvm in -(no) + (no) readonly vm_dev_disk_swap="${vm_dev_disk}5" readonly vm_dev_disk_root="${vm_dev_disk}6" readonly vm_dev_disk_var="${vm_dev_disk}7" readonly vm_dev_disk_home="${vm_dev_disk}8" ;; -(yes) + (yes) readonly vm_lvm_pv="${vm_dev_disk}2" - readonly vm_lvm_vg=$vm - readonly vm_lvm_dev=$(printf %s $vm_lvm_vg | sed -e 's/-/--/g') - readonly vm_lvm_lv=$vm - readonly vm_dev_disk_swap=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_swap - readonly vm_dev_disk_root=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_root - readonly vm_dev_disk_var=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_var - readonly vm_dev_disk_home=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}home + readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap + readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root + readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var + readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home ;; -(*) + (*) exit 1;; esac @@ -130,7 +136,8 @@ rule_disk_format () { # DESCRIPTION: partitionnage du disque de la VM ;; (*) exit 1;; esac - sudo partprobe $vm_dev_disk + #sudo partprobe $vm_dev_disk + sudo kpartx -u -v /dev/domU/$vm_fqdn-disk } rule_part_lvm_format () { @@ -174,16 +181,16 @@ rule__part_encrypted_format () { # SYNTAX: $part # DESCRIPTION: formatage d'une local part=$1 eval "local dev=\$vm_dev_disk_$part" test ! -e /dev/mapper/${vm}_root_deciphered || - sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | - sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \ - --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev + sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | + cryptsetup luksFormat --hash=sha512 --key-size=512 \ + --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev" } rule__part_encrypted_mount () { # SYNTAX: $part local part=$1 eval "local dev=\$vm_dev_disk_$part" - test ! -e /dev/mapper/${vm}_root_deciphered || - sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | - sudo cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered + test -e /dev/mapper/${vm}_${part}_deciphered || + sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | + cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered" } rule__part_encrypted_umount () { # SYNTAX: $part local part=$1 @@ -199,7 +206,7 @@ rule_part_root_format () { --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $vm_dev_disk_root sudo cryptsetup luksOpen --key-file=- $vm_dev_disk_root ${vm}_root_deciphered sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ - -E resize=15G${vm_e2fs_extended_options} \ + -E resize=30G${vm_e2fs_extended_options} \ -L ${vm}_root \ /dev/mapper/${vm}_root_deciphered ! mountpoint -q /mnt/$vm_fqdn @@ -210,14 +217,18 @@ rule_part_root_format () { mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/proc mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/sys mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/var + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool/ateliers sudo umount -v /mnt/$vm_fqdn + sudo cryptsetup luksClose ${vm}_root_deciphered fi } rule_part_root_mount () { test -e /dev/mapper/${vm}_root_deciphered || sudo cryptsetup luksOpen $vm_dev_disk_root ${vm}_root_deciphered - ! mountpoint -q /mnt/$vm_fqdn || - sudo mount -v /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn + mountpoint -q /mnt/$vm_fqdn || + sudo mount -v -t ext4 /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn } rule_part_root_umount () { ! mountpoint -q /mnt/$vm_fqdn || @@ -225,6 +236,9 @@ rule_part_root_umount () { ! test -e /dev/mapper/${vm}_root_deciphered || sudo cryptsetup luksClose ${vm}_root_deciphered } +rule_part_root_backup_luks () { + sudo cryptsetup luksHeaderBackup $vm_dev_disk_root --header-backup-file ./root.luks + } rule_part_swap_format () { rule__part_encrypted_format swap rule__part_encrypted_mount swap @@ -240,8 +254,8 @@ rule_part_boot_format () { rule_part_boot_mount () { mountpoint -q /mnt/$vm_fqdn test -d /mnt/$vm_fqdn/boot - mountpoint -q /mnt/$vm_fqdn/boot || - sudo mount -v $vm_dev_disk_boot /mnt/$vm_fqdn/boot + mountpoint -q /mnt/$vm_fqdn/boot || + sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot } rule_part_boot_umount () { ! mountpoint -q /mnt/$vm_fqdn/boot || @@ -259,7 +273,7 @@ rule_part_var_format () { rule_part_var_mount () { rule__part_encrypted_mount var mountpoint -q /mnt/$vm_fqdn/var || - sudo mount -v /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var + sudo mount -v -t ext4 /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var } rule_part_var_umount () { ! mountpoint -q /mnt/$vm_fqdn/var || @@ -271,15 +285,15 @@ rule_part_home_format () { rule__part_encrypted_mount home sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \ -E resize=400G${vm_e2fs_extended_options} \ - -O quota \ -L ${vm}_home \ /dev/mapper/${vm}_home_deciphered + # NOTE: -O quota pas supporté par e2fsprogs/squeeze rule__part_encrypted_umount home } rule_part_home_mount () { rule__part_encrypted_mount home mountpoint -q /mnt/$vm_fqdn/home || - sudo mount -v /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home + sudo mount -v -t ext4 /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home } rule_part_home_umount () { ! mountpoint -q /mnt/$vm_fqdn/home || @@ -288,6 +302,9 @@ rule_part_home_umount () { } rule_debian_install () { + rule_part_root_mount + rule_part_boot_mount + rule_part_var_mount sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ debootstrap \ --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ --exclude=vim-tiny \ @@ -329,27 +346,34 @@ rule_debian_install () { http://ftp.fr.debian.org/debian/ } rule_chroot () { - rule_part_boot_mount rule_part_root_mount + rule_part_boot_mount rule_part_var_mount #rule_part_home_mount mountpoint -q /mnt/$vm_fqdn/proc || - mount -t proc proc /mnt/$vm_fqdn/proc + sudo mount -t proc proc /mnt/$vm_fqdn/proc mountpoint -q /mnt/$vm_fqdn/sys || - mount -t sysfs sys /mnt/$vm_fqdn/sys + sudo mount -t sysfs sys /mnt/$vm_fqdn/sys mountpoint -q /mnt/$vm_fqdn/dev || - mount --bind /dev /mnt/$vm_fqdn/dev - sudo chroot /mnt/$vm_fqdn /bin/bash || true + sudo mount --bind /dev /mnt/$vm_fqdn/dev + mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers || + sudo mount --bind "$tool" /mnt/$vm_fqdn/root/tool/ateliers + sudo chroot /mnt/$vm_fqdn /bin/dash || true rule__chroot_clean } rule__chroot_clean () { - umount -v /mnt/$vm_fqdn/dev - umount -v /mnt/$vm_fqdn/sys - umount -v /mnt/$vm_fqdn/proc - #rule_part_home_umount + ! sudo mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers || + sudo umount -v /mnt/$vm_fqdn/root/tool/ateliers + ! mountpoint -q /mnt/$vm_fqdn/dev || + sudo umount -v /mnt/$vm_fqdn/dev + ! mountpoint -q /mnt/$vm_fqdn/sys || + sudo umount -v /mnt/$vm_fqdn/sys + ! mountpoint -q /mnt/$vm_fqdn/proc || + sudo umount -v /mnt/$vm_fqdn/proc + rule_part_home_umount rule_part_var_umount - rule_part_root_umount rule_part_boot_umount + rule_part_root_umount } rule=${1:-help} diff --git a/ateliers_hosted b/ateliers_hosted index 5cbc254..3359fb6 100755 --- a/ateliers_hosted +++ b/ateliers_hosted @@ -12,7 +12,7 @@ rule_help () { Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0") @@ -25,8 +25,6 @@ rule_filesystem_init () { vm.vfs_cache_pressure=50 EOF } -rule_filesystem_unmount () { - } rule_shell_source () { . /etc/profile } @@ -36,7 +34,7 @@ rule_network_init () { EOF grep -q " $vm\$" /etc/hosts || mk_reg mod= own= --append /etc/hosts <<-EOF - 127.0.0.1 $vm.local $vm + 127.0.0.1 $vm_fqdn $vm EOF mk_reg mod= own= /etc/network/interfaces <<-EOF auto lo @@ -89,9 +87,9 @@ rule_boot_init () { mk_reg mod= own= /etc/crypttab <<-EOF # ${vm}_root_deciphered LABEL=${vm}_root ${vm}_root luks - ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived + ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived + ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived + ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived EOF mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF #loop @@ -110,11 +108,383 @@ rule_user_admin_add () { # SYNTAX: ! id "$admin" || adduser "$admin" eval home="~$admin" adduser "$admin" sudo - mk_dir mod=0750 own="$admin:$admin" "$home"/etc - mk_dir mod=0700 own="$admin:$admin" "$home"/etc/ssh mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub } -rule_users_init () { +rule_user_mail_format () { + mk_dir mod=0770 own=root:adm /etc/skel/etc/procmail + mk_dir mod=0770 own=root:adm /etc/skel/var/mail + mk_dir mod=0770 own=root:adm /etc/skel/var/cache/procmail + mk_reg mod=0660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF + # vim: ft=procmail + + # NOTE: paramètres passés par postfix + SENDER=\$1 + RECIPIENT=\$2 + USER=\$3 + EXTENSION=\$4 + DOMAIN=\$5 + ORIGINAL_RECIPIENT=\$6 + + PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin" + MAILDIR="\$HOME/var/mail/" + DEFAULT="\$MAILDIR" + #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"` + LOGFILE="/dev/null" + LOGABSTRACT=all + LOGABSTRACT + VERBOSE + SHELL=/bin/sh + SHELLMETAS=&|<>~;?*%{} + + # DESCRIPTION: supprime les doublons en fonction du champ Message-Id + #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT" + #| formail -D 8192 "\$HOME/var/cache/procmail/msgid" + + # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward + EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"` + # NOTE: récupère l’adresse courriel dans le champ GECOS + FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'` + # NOTE: récupère l’expéditeur inscrit sur l’enveloppe + :0 + | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}" + + # DESCRIPTION: IMAP + #:0 + #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT" + + # DESCRIPTION: UUCP + #:0 + #| /usr/bin/uux \ + # -I "\$HOME/etc/uucp/uucp.cfg" \ + # --nouucico \ + # --notification=error \ + # --requestor "\$USER" \ + # - "\$USER!rmail" "(\$USER)" + EOF + mk_reg mod=0664 own=root:root /etc/postfix/main.cf <<-EOF + # /etc/postfix/main.cf + # SEE: http://postfix.traduc.org/index.php/TLS_README.html + + parent_domain_matches_subdomains = + #debug_peer_list + #fast_flush_domains + #mynetworks + #permit_mx_backup_networks + #qmqpd_authorized_clients + #smtpd_access_maps + mydomain = $vm_domainname + myorigin = \$mydomain + myhostname = $vm_hostname.\$mydomain + mail_name = \$myhostname + mydestination = + $vm_hostname + \$myhostname + \$myorigin + mynetworks = + 127.0.0.0/8 + #[::1]/128 + inet_protocols = ipv4 + # "all" to activate IPv6 + inet_interfaces = all + permit_mx_backup_networks = + + alias_database = + hash:/etc/aliases + # NOTE: fichier de hash contenant une table d’alias mail. + # Celle-ci est éditable dans /etc/aliases, puis (indispensable) + # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db + alias_maps = + hash:/etc/aliases + recipient_delimiter = + + # NOTE: séparateur entre le nom d’utilisateur + # et les extensions d’adresse (par défaut le signe +). + #virtual_alias_domains = + virtual_alias_maps = + hash:/etc/postfix/\$mydomain/virtual + # NOTE: do not specify virtual alias domain names in the main.cf + # mydestination or relay_domains configuration parameters. + # + # With a virtual alias domain, the Postfix SMTP server + # accepts mail for known-user@virtual-alias.domain, and + # rejects mail for unknown-user@virtual-alias.domain as + # undeliverable. + #relayhost = + relay_clientcerts = + hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts + relay_domains = + \$mydestination + # NOTE: ajouter les domaines pour lesquels on est backup MX ici, + # pas dans mydestination ou virtual_alias... + + maximal_queue_lifetime = 5d + + header_checks = + regexp:/etc/postfix/\$mydomain/header_checks + mime_header_checks = + nested_header_checks = + milter_header_checks = + body_checks = + + #content_filter = amavisfeed:[127.0.0.1]:10024 + #receive_override_options = no_address_mappings + # no_unknown_recipient_checks + # Do not try to reject unknown recipients (SMTP server only). + # This is typically specified AFTER an external content filter. + # no_address_mappings + # Disable canonical address mapping, virtual alias map expansion, + # address masquerading, and automatic BCC (blind carbon-copy) recipients. + # This is typically specified BEFORE an external content filter (eg. amavis). + # no_header_body_checks + # Disable header/body_checks. This is typically specified AFTER an external content filter. + # no_milters + # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. + #local_header_rewrite_clients = + transport_maps = + hash:/etc/postfix/\$mydomain/transport_maps + mailbox_command = + /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc" + mailbox_size_limit = 0 + biff = no + # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no). + append_dot_mydomain = no + # appending .domain is the MUA's job. + + #tls_random_source = + # dev:/dev/urandom + # Non-blocking + #tls_random_reseed_period = 3600s + #tls_random_exchange_name = + # \${data_directory}/prng_exch + # NOTE: à ne pas mettre dans la cage chroot + #tls_random_bytes = 32 + #tls_random_prng_update_period = 3600s + #tls_high_cipherlist = AES256-SHA + # NOTE: postconf(5) déconseille de changer ceci + + #smtp_cname_overrides_servername = no + smtp_connect_timeout = 60s + #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem + #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/ + #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem + #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem + #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site + # NOTE: déprécié en faveur de smtp_tls_policy_maps + smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy + smtp_tls_fingerprint_digest = sha1 + smtp_tls_scert_verifydepth = 5 + #smtp_tls_secure_cert_match = nexthop, dot-nexthop + #smtp_tls_verify_cert_match = hostname + #smtp_tls_note_starttls_offer = yes + smtp_tls_loglevel = 1 + smtp_tls_protocols = !SSLv2, !SSLv3 + # Only allow TLSv* + smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache + #smtp_tls_session_cache_timeout = 3600s + smtp_tls_security_level = may + smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks + smtp_body_checks = + smtp_mime_header_checks = + smtp_nested_header_checks = + + smtpd_starttls_timeout = 300s + smtpd_banner = + \$myhostname ESMTP \$mail_name (Debian/GNU) + + # Restrictions + smtpd_helo_required = yes + strict_rfc821_envelopes = yes + smtpd_authorized_xclient_hosts = 127.0.0.1 + # NOTE: utile pour tester les restrictions + + smtpd_helo_restrictions = + reject_invalid_helo_hostname + reject_non_fqdn_helo_hostname + #reject_unknown_helo_hostname + # NOTE: pourrait pourtant être utile pour lutter contre le spam + permit + + smtpd_sender_restrictions = + permit_mynetworks + permit_tls_clientcerts + permit_sasl_authenticated + check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access + check_sender_access hash:/etc/postfix/sender_blacklist + reject_unauth_pipelining + reject_non_fqdn_sender + #reject_unknown_sender_domain + # NOTE: temporaire + permit + + smtpd_client_new_tls_session_rate_limit = 0 + smtpd_client_event_limit_exceptions = \$mynetworks + smtpd_client_recipient_rate_limit = 0 + smtpd_client_connection_count_limit = 50 + smtpd_client_connection_rate_limit = 0 + smtpd_client_message_rate_limit = 0 + smtpd_client_port_logging = no + + smtpd_client_restrictions = + check_client_access hash:/etc/postfix/client_blacklist + + policy_time_limit = 3600 + default_extra_recipient_limit = 5000 + duplicate_filter_limit = 5000 + smtpd_recipient_limit = 5000 + smtpd_recipient_overshoot_limit = 5000 + smtpd_recipient_restrictions = + reject_non_fqdn_recipient + #reject_invalid_hostname + # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname + # dans smtpd_helo_restrictions + reject_unknown_recipient_domain + #reject_non_fqdn_sender + # NOTE: dans smtpd_sender_restrictions + reject_unauth_pipelining + # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions + permit_mynetworks + permit_tls_clientcerts + permit_sasl_authenticated + reject_unauth_destination + # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous + # ou quelqu'un pour lequel on tient lieu de backup_mx + check_policy_service inet:127.0.0.1:10023 + # NOTE: Postgrey (greylisting) + check_policy_service unix:private/spfcheck + permit_auth_destination + # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné + # (voir permit_auth_destination) ; sans doute redondant + reject + #check_relay_domains <- removed from postfix + #reject_unknown_sender_domain + # aurait probablement été mieux dans smtpd_sender_restrictions + #reject_rbl_client bl.spamcop.net + #reject_rbl_client list.dsbl.org + #reject_rbl_client zen.spamhaus.org + #reject_rbl_client dnsbl.sorbs.net + + smtpd_data_restrictions = + reject_unauth_pipelining + # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK + permit + + #smtpd_end_of_data_restrictions = + + #smtpd_restriction_classes = + + smtpd_error_sleep_time = 5 + # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes. + + # SASL + smtpd_sasl_auth_enable = yes + smtpd_sasl_type = dovecot + smtpd_sasl_path = private/auth + smtpd_sasl_security_options = noanonymous + smtpd_sasl_domain = \$mydomain + + # SMTPD TLS + smtpd_discard_ehlo_keywords = starttls + # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste + # se mangent une erreur en tentant un starttls + smtpd_tls_fingerprint_digest = sha1 + # sha512 ? + smtpd_tls_mandatory_protocols = TLSv1 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_ciphers = high + # restrictif. s/high/medium/ ? + smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem + smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/ + smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem + smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem + ## + #smtpd_tls_received_header = no + smtpd_tls_session_cache_database = + btree:/var/lib/postfix/smtpd_tls_session_cache + #smtpd_tls_session_cache_timeout = 3600s + smtpd_tls_security_level = may + # Postfix 2.3 and later + # encrypt + # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS + # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced + # SMTP server. Instead, this option should be used only on dedicated servers. + smtpd_tls_loglevel = 1 + smtpd_tls_ccert_verifydepth = 5 + smtpd_tls_auth_only = yes + # Pas d'AUTH SASL sans TLS + smtpd_tls_ask_ccert = no + smtpd_tls_req_ccert = no + #smtpd_tls_always_issue_session_ids = yes + smtpd_peername_lookup = yes + # Nécessaire pour postgrey, etc + smtpd_milters = + non_smtpd_milters = + line_length_limit = 2048 + queue_minfree = 0 + message_size_limit = 20480000 + #smtpd_enforce_tls # NOTE: obsolète + #smtpd_use_tls # NOTE: obsolète + #smtpd_tls_cipherlist # NOTE: obsolète + + readme_directory = no + #delay_warning_time = 4h + # NOTE: uncomment the previous line to generate "delayed mail" warnings + #debug_peer_level = 4 + #debug_peer_list = .\$myhostname + EOF + mk_reg mod=0664 own=root:root /etc/dovecot/dovecot.conf <<-EOF + auth_ssl_username_from_cert = yes + listen = * + log_timestamp = "%Y-%m-%d %H:%M:%S " + mail_debug = yes + mail_location = maildir:~/var/mail + mail_privileged_group = mail + passdb { + args = /home/%u/etc/dovecot/passwd + driver = passwd-file + } + protocols = imap + service auth { + unix_listener /var/spool/postfix/private/auth { + group = postfix + mode = 0660 + user = postfix + } + user = root + } + ssl_ca = /dev/xvda{1,2} # /dev/xvda2 -> /dev/mapper/${vm_lvm_vg}-${vm_lvm_lv}_{swap,root,var,home} +case $vm_use_lvm in + (no) + ;; + (yes) + readonly vm_lvm_vg=$vm_fqdn + readonly vm_lvm_lv=$vm + ;; + (*) + exit 1;; + esac + readonly vm_raid_effective_disks=1 # NOTE: RAID1 (mirroring) # NOTE: julm@rouf:~$ sudo pvs /dev/md2 -o+pe_start # PV VG Fmt Attr PSize PFree 1st PE @@ -75,3 +88,7 @@ readonly vm_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grésille # dans l'idée de ne pas s'embêter avec # une migration squeeze -> wheezy dans deux mois ; # et parce qu'on juge wheezy « suffisamment stable ». + +rule_env () { # DESCRIPTION: affiche les $vm_* + set | grep '^vm_' + } diff --git a/inc.sh b/inc.sh index 757fbcb..28df016 100644 --- a/inc.sh +++ b/inc.sh @@ -4,14 +4,14 @@ mk_dir () { local mod=${1#mod=}; shift local own=${1#own=}; shift - mkdir -p "$@" + sudo mkdir -p "$@" ! [ ${mod:+set} ] || sudo chmod $mod "$@" ! [ ${own:+set} ] || sudo chown $own "$@" } mk_reg () { local mod=${1#mod=}; shift local own=${1#own=}; shift - tee >/dev/null "$@" + sudo tee >/dev/null "$@" ! [ ${mod:+set} ] || sudo chmod $mod "$@" ! [ ${own:+set} ] || sudo chown $own "$@" } diff --git a/workflow.txt b/workflow.txt new file mode 100644 index 0000000..e9cd3a3 --- /dev/null +++ b/workflow.txt @@ -0,0 +1,9 @@ +% export TRACE=1 +% ./ateliers_host disk_mount +% ./ateliers_host disk_format +% ./ateliers_host part_lvm_format +% ./ateliers_host part_root_format +% ./ateliers_host part_boot_format +% ./ateliers_host part_swap_format +% ./ateliers_host part_var_format +% ./ateliers_host part_home_format -- 2.20.1