gnunux/dataset
1
0
Fork 0
forked from stove/dataset
Code Issues Pull requests Projects Releases Wiki Activity

fork from cadoles' risotto-dataset

Browse source
This commit is contained in:
Emmanuel Garette 2022-03-08 19:42:28 +01:00
parent 57ef44abbc
commit a093f49780
415 changed files with 22885 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
doc/certificates.md Normal file
View file

@ -0,0 +1,68 @@
# Généré des certificats via la PKI interne de mini_risotto
## Génération des certificates sur le serveur
Création la variable contenant la chain :
```
<variables>
<variable name='service_ca_chain' description="CA certificate" hidden='True'/>
</variable>
```
Création d'une autorité avec le nom "AuthorityName" (le nom est un terme en CamelCase) :
```
<fill name="get_chain">
<param name="cn" type="information">server_name</param>
<param name="authority_cn" type="information">server_name</param>
<param name="authority_name">AuthorityName</param>
<target>service_chain</target>
</fill>
```
La création du fichier de CA est simple, il suffit d'utiliser la variable "service_ca_chain".
Puis il faut créer le certificat avec un template qui contient :
```
%%get_certificate(%%domain_name_eth0, authority_name="AuthorityName")
```
Si l'autorité n'est pas gérer par le serveur courant, il faut précicer le nom du serveur responsable de l'autorité :
```
%%get_certificate(%%domain_name_eth0, authority_cn=%%server, authority_name="AuthorityName")
```
Enfin, le certificat peut avoir plusieurs nom de domaine, dans ce cas on peut le gérer par exemple en faisant :
```
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
```
Enfin on peut récupérer la clef privée (attention APRÉS avoir récupérer le certificat) :
```
%get_private_key(%%domain_name_eth0, %%server)
```
Comme le certificat, l'autorité peut ne pas être de la responsabilité du serveur courant :
```
%get_private_key(%%domain_name_eth0, authority_cn=%%server, authority_name="ReverseProxy")
```
## PKI sous Fedora
Création des fichiers pour l'autorité "AuthorityName" pour le service "service" :
```
<file>/etc/pki/ca-trust/source/anchors/ca_AuthorityName.crt</file>
<file>/etc/pki/tls/certs/service.crt</file>
<file owner="root" group="root" mode="400">/etc/pki/tls/private/service.key</file>
```

21
doc/format.txt Normal file
View file

@ -0,0 +1,21 @@
Modèle de serveur
=================
name : nom du serveur modèle
description : description du serveur modèle
applicationservice : application service spécifique à ce serveur modèle
os_name : nom de l'image
os_version : version de l'image
iso : URL de téléchargement de l'image
Service applicatif
==================
format : numéro du format
name : nom du service applicatif
description: description du service applicatifs
depends : liste de dépendances vers d'autres service applicatifs
packages : liste de paquets logiciel a installé dans l'image
os : liste des "os_name" et "os_version" compatible avec ce service applicatif

177
doc/link.md Normal file
View file

@ -0,0 +1,177 @@
# Configuration liée
Une configuration liée est un ensemble d'élément partagé entre deux serveurs différents.
## Lier un client à un serveur
```
<check name="set_linked">
<param name="linked_provider">clients</param>
<param name="linked_value" type="variable">service_variable</param>
<target>service_variable_2</target>
</check>
```
## Lier un client à un serveur avec un nom d'utilisateur issu du nom de domaine
Il faut commencer de créer une variable côté serveur :
```
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
```
Le nom d'utilisateur sera ici le nom de domaine du serveur avec l'application de la fonction 'normalize_family'.
Pour lier deux configurations il faut créer deux variables côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
Enfin il faut lier les deux configurations :
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
En retour la variable "service_remote_user" aura comme valeur "normalize_family(service_server_address)".
## Lier un client unique à un serveur avec un nom d'utilisateur calculé sur le serveur
Il faut commencer de créer les variables côté serveur :
```
<variables>
<variable name="remote" description="The client" type="domainname" provider="client"/>
<variable name="username" hidden="True" provider="client_name"/>
</variables>
<constraints>
<fill name="gen_user_name">
<target>username</target>
</fill>
</constraints>
```
Côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<param name="linked_returns">client_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera la variable "remote" du serveur.
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
## Lier plusieurs clients à un serveur avec un nom d'utilisateur calculé sur le serveur
Il faut commencer de créer les variables côté serveur :
```
<variables>
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
<family name="remote_" description="Compte pour " dynamic="remotes">
<variable name="username_" hidden="True" provider="client_name"/>
</family>
</variables>
<constraints>
<fill name="gen_user_name">
<target>username_</target>
</fill>
</constraints>
```
Côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<param name="linked_returns">client_name</param>
<param name="dynamic" type="information">server_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
## Caculer une variable d'un client par rapport à la valeur d'un serveur
Il faut commencer de créer une nouvelle variables côté serveur par exemple dans une famille dynamique :
```
<variables>
<family name="remote_" description="Compte pour " dynamic="remotes">
<variable name="password_" description="Password " auto_save="True" hidden="True" type="password" provider="client_password"/>
</family>
</variables>
<constraints>
<fill name="gen_password">
<target>password_</target>
</fill>
</constraints>
```
Côté client on veut récupérer ce mot de passe dans une variable :
```
<variable name='service_remote_user_password' type='password' description="Remote password" mandatory='True' hidden="True"/>
```
Et calculer cette valeur :
```
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">client_password</param>
<param name="dynamic" type="variable">service_remote_user</param>
<target>service_remote_user_password</target>
</fill>
```
## Propoger la valeur d'une variable d'un client vers un serveur
```
<check name="set_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">client_var</param>
<param name="dynamic" type="variable">service_remote_user</param>
<target>service_variable</target>
</check>
```
## Propoger la valeur d'une variable d'un client vers un variable esclave du serveur
```
<check name="set_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="leader_provider">client_var</param>
<param name="leader_value" type="variable">service_variable</param>
<param name="linked_provider">slave</param>
<param name="dynamic" type="variable">service_server_address</param>
<target>service_variable_2</target>
</check>
```

2
seed/applicationservice/2022.03.08/apache/FIXME Normal file
View file

@ -0,0 +1,2 @@
# ln -s /etc/httpd/conf.d/nextcloud-access.conf.avail /etc/httpd/conf.d/z-nextcloud-access.conf

5
seed/applicationservice/2022.03.08/apache/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Apache configuration
depends:
- base-fedora-35
- reverse-proxy-client

31
seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml Normal file
View file

@ -0,0 +1,31 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="httpd" target="multi-user">
<file>/etc/httpd/conf/httpd.conf</file>
<file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file>
<file>/etc/httpd/ssl/server.ca</file>
<file>/etc/httpd/ssl/server.key</file>
<file>/etc/httpd/ssl/server.crt</file>
<file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
<file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
</service>
</services>
<variables>
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
<value>300</value>
</variable>
<variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
<variable name="server_ca" hidden="True"/>
</family>
</variables>
<constraints>
<fill name="get_chain">
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
<param name="authority_name">ReverseProxy</param>
<target>server_ca</target>
</fill>
</constraints>
</rougail>

360
seed/applicationservice/2022.03.08/apache/templates/httpd.conf Normal file
View file

@ -0,0 +1,360 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# See the httpd.conf(5) man page for more information on this configuration,
# and httpd.service(8) on using and configuring the httpd service.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on a specific IP address, but note that if
# httpd.service is enabled to run at boot time, the address may not be
# available when the service starts. See the httpd.service(8) man
# page for more information.
#
#Listen 12.34.56.78:80
Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
# GNUNUX ErrorLog "logs/error_log"
ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
# GNUNUX CustomLog "logs/access_log" combined
CustomLog "|/usr/bin/systemd-cat -t httpd" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

15
seed/applicationservice/2022.03.08/apache/templates/risotto.conf Normal file
View file

@ -0,0 +1,15 @@
# Timeout
Timeout %%apache_timeout
# Keepalive
%if %%apache_keepalive
KeepAlive On
%else
KeepAlive Off
%end if
MaxKeepAliveRequests 50
KeepAliveTimeout %%apache_timeout
# RemoteIp
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy %%revprox_client_server_ip

1
seed/applicationservice/2022.03.08/apache/templates/server.ca Normal file
View file

@ -0,0 +1 @@
%%server_ca

1
seed/applicationservice/2022.03.08/apache/templates/server.crt Normal file
View file

@ -0,0 +1 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")

1
seed/applicationservice/2022.03.08/apache/templates/server.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")

226
seed/applicationservice/2022.03.08/apache/templates/ssl.conf Normal file
View file

@ -0,0 +1,226 @@
#
# When we also provide SSL we have to listen to the
# standard HTTPS port in addition.
#
Listen 443 https
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
# GNUNUX ErrorLog logs/ssl_error_log
ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
# GNUNUX TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
# GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/ssl/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
# GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/ssl/server.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#>GNUNUX
SSLCACertificateFile /etc/httpd/ssl/server.ca
#<GNUNUX
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
# GNUNUX CustomLog logs/ssl_request_log \
# GNUNUX "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
CustomLog "|/usr/bin/systemd-cat -t httpd" combined
</VirtualHost>

2
seed/applicationservice/2022.03.08/apache/templates/sysuser-httpd.conf Normal file
View file

@ -0,0 +1,2 @@
g apache 48 -
u apache 48:48 "Apache" /usr/share/httpd /sbin/nologin

2
seed/applicationservice/2022.03.08/apache/templates/tmpfile-httpd.conf Normal file
View file

@ -0,0 +1,2 @@
d /var/www/html 750 root apache - -

4
seed/applicationservice/2022.03.08/base-debian-bullseye/applicationservice.yml Normal file
View file

@ -0,0 +1,4 @@
format: '0.1'
description: Information de base d'un serveur Debian Buster
depends:
- base-debian

15
seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml Normal file
View file

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="dnssec" manage="False">
<file>/etc/dnssec-trust-anchors.d/local.negative</file>
</service>
</services>
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<value>bullseye</value>
</variable>
</family>
</variables>
</rougail>

1
seed/applicationservice/2022.03.08/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh Normal file
View file

@ -0,0 +1 @@
RELEASEVER=bullseye

2
seed/applicationservice/2022.03.08/base-debian-bullseye/templates/local.negative Normal file
View file

@ -0,0 +1,2 @@
%set %%domain=%%domain_name_eth0.split('.', 1)[1]
%%domain

5
seed/applicationservice/2022.03.08/base-debian/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Information de base d'un serveur Debian
depends:
- base
- systemd

26
seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml Normal file
View file

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="debian" manage="False">
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
<file engine="none">/etc/default/locale</file>
</service>
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Debian</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/ssl-localca</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/ssl/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/ssl/private</value>
</variable>
</family>
</variables>
</rougail>

2
seed/applicationservice/2022.03.08/base-debian/manual/image/postinstall/debian.sh Normal file
View file

@ -0,0 +1,2 @@
rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf

3
seed/applicationservice/2022.03.08/base-debian/manual/image/preinstall/base_debian.sh Normal file
View file

@ -0,0 +1,3 @@
BASE_PKG="dbus,udev,systemd,bash,lsof,strace,apt-listchanges"
INSTALL_TOOL="apt"
OS_NAME="debian"

1
seed/applicationservice/2022.03.08/base-debian/templates/locale Normal file
View file

@ -0,0 +1 @@
LANG="fr_FR.UTF-8"

1
seed/applicationservice/2022.03.08/base-debian/templates/tmpfile-tmp.conf Normal file
View file

@ -0,0 +1 @@
q /var/tmp 1777 root root 30d

11
seed/applicationservice/2022.03.08/base-debian/templates/update-ca-certificates.service Normal file
View file

@ -0,0 +1,11 @@
[Unit]
Description=Update CA Certificates
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
[Install]
WantedBy=multi-user.target

1
seed/applicationservice/2022.03.08/base-fedora/README.md Normal file
View file

@ -0,0 +1 @@
Inspired by: https://pagure.io/fedora-kickstarts/tree/main

5
seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Information de base d'un serveur Fedora
depends:
- base
- systemd

25
seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml Normal file
View file

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-trust" engine="creole" target="multi-user"/>
<service name="fedora-base" manage="False">
<file engine="none">/tmpfiles.d/fedora.conf</file>
</service>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Fedora</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/pki/ca-trust/source/anchors</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/pki/tls/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/pki/tls/private</value>
</variable>
</family>
</variables>
</rougail>

4
seed/applicationservice/2022.03.08/base-fedora/manual/image/preinstall/base_fedora.sh Normal file
View file

@ -0,0 +1,4 @@
BASE_PKG="systemd systemd-networkd systemd-resolved fedora-release-container lsof strace"
INSTALL_TOOL="dnf"
OS_NAME='fedora'
REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/yum.repos.d/"

11
seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors Executable file
View file

@ -0,0 +1,11 @@
#!/bin/bash
set -xe
echo "Preprocessors"
if [ ! -z $https_proxy ]; then
echo "echo 'export https_proxy=$https_proxy' > /tmp/proxy.sh" > scripts/00-proxy
fi
exit 0

63
seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json Normal file
View file

@ -0,0 +1,63 @@
{
"builders": [
{
"format": "qcow2",
"headless": true,
"output_directory": "{{user `tmp_directory`}}/output",
"shutdown_command": "echo packer | sudo -S shutdown -P now",
"ssh_password": "qemubuild",
"ssh_username": "qemubuild",
"ssh_wait_timeout": "120m",
"type": "qemu",
"disk_interface": "virtio",
"vm_name": "image.img",
"qemuargs": [
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
],
"memory": "2048",
"vnc_bind_address": "0.0.0.0",
"disk_image": true,
"iso_checksum": "{{user `iso_checksum` }}",
"iso_url": "{{user `iso_url` }}",
"iso_checksum_type": "sha256"
}
],
"provisioners": [
{
"type": "file",
"source": "{{user `tmp_directory`}}/scripts",
"destination": "/tmp/scripts"
},
{
"type": "shell",
"inline": [
"sudo chown root: /tmp/scripts/*",
"sudo chmod +x /tmp/scripts/*",
"sudo risotto-run-parts /tmp/scripts/"
]
}
],
"post-processors": [
{
"type": "shell-local",
"inline": [
"sleep 5",
"mkdir -p {{user `tmp_directory`}}/tmp",
"echo 'Syst Prep'",
"LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
"echo 'Sparsify before shink'",
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
"echo 'Shink'",
"guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
"truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16012}')K {{user `tmp_directory`}}/output/shrink.img",
"virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
"echo 'Sparsify and convert to qcow2'",
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
"echo 'SHASUM'",
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
]
}
]
}

63
seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json.ext2 Normal file
View file

@ -0,0 +1,63 @@
{
"builders": [
{
"format": "qcow2",
"headless": true,
"output_directory": "{{user `tmp_directory`}}/output",
"shutdown_command": "echo packer | sudo -S shutdown -P now",
"ssh_password": "qemubuild",
"ssh_username": "qemubuild",
"ssh_wait_timeout": "120m",
"type": "qemu",
"disk_interface": "virtio",
"vm_name": "image.img",
"qemuargs": [
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
],
"memory": "2048",
"vnc_bind_address": "0.0.0.0",
"disk_image": true,
"iso_checksum": "{{user `iso_checksum` }}",
"iso_url": "{{user `iso_url` }}",
"iso_checksum_type": "sha256"
}
],
"provisioners": [
{
"type": "file",
"source": "{{user `tmp_directory`}}/scripts",
"destination": "/tmp/scripts"
},
{
"type": "shell",
"inline": [
"sudo chown root: /tmp/scripts/*",
"sudo chmod +x /tmp/scripts/*",
"sudo risotto-run-parts /tmp/scripts/"
]
}
],
"post-processors": [
{
"type": "shell-local",
"inline": [
"sleep 5",
"mkdir -p {{user `tmp_directory`}}/tmp",
"echo 'Syst Prep'",
"LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
"echo 'Sparsify before shink'",
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
"echo 'Shink'",
"guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
"truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16384}')K {{user `tmp_directory`}}/output/shrink.img",
"virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
"echo 'Sparsify and convert to qcow2'",
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
"echo 'SHASUM'",
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
]
}
]
}

8
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/10-update Normal file
View file

@ -0,0 +1,8 @@
#!/bin/bash
set -xe
[ -e /tmp/proxy.sh ] && . /tmp/proxy.sh
microdnf update
exit 0

9
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/40-remove_microdnf Normal file
View file

@ -0,0 +1,9 @@
#!/bin/bash
set -xe
microdnf clean all
for package in microdnf libdnf libpeas libstdc++ gobject-introspection libsolv librepo libmodulemd file-libs zchunk-libs libyaml gpgme gnupg2 libassuan libksba libusbx npth; do
rpm -e $package || true
done
rm -rf /var/lib/dnf
exit 0

29
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/50-rpm_vaccum Normal file
View file

@ -0,0 +1,29 @@
#!/bin/bash
set -xe
rpm -qa | sort > /tmp/rpm.txt
# try to remove this packages
PKG=" rpm rpm-libs curl libcurl lua-libs libarchive sqlite-libs libnghttp2 libssh libbrotli libpsl publicsuffix-list-dafsa libxml2 libssh-config elfutils-libs dbus-broker "
# exclude package
PKG2=""
while read -r a; do
pkg="$(echo "$a" | awk '{ print $1 }' | awk -F'(' '{ print $1 }')"
[ -n "$PKG2" ] && PKG2="$PKG2\n"
PKG2="$PKG2$pkg"
done <<< "$( rpm --test -ev $PKG 2>&1 | grep -v ^'erreur' )"
while read -r b; do
pkg=$(rpm -q $b --quiet && echo $b || rpm -qf $(find / -name $b -print -quit) --query --queryformat "%{NAME}\n";)
echo "Ne pas désinstaller $pkg"
PKG=${PKG// $pkg / }
done <<< "$(echo -e $PKG2 | sort -u)"
echo "Suppression de $PKG"
rpm -e $PKG
echo "Remove rpm database"
rm -rf /var/lib/rpm/*
rm -rf /usr/lib/rpm
mv /tmp/rpm.txt /var/lib/rpm/rpm.txt
exit 0

11
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/60-tmpfiles Normal file
View file

@ -0,0 +1,11 @@
#!/bin/bash
set -xe
rm -rf /etc/X11 /etc/firewalld /etc/pki/rpm-gpg /etc/yum.repos.d /etc/dconf
make_volatile /etc
#
make_volatile /var/lib/rpm
sed -i 's/ ro$/ ro systemd.volatile=yes selinux=1 net.ifnames=0/g' /boot/efi/loader/entries/fedora.conf
exit 0

15
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/70-locale Normal file
View file

@ -0,0 +1,15 @@
#!/bin/bash
set -xe
find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
rm -rf /usr/share/bash-completion
rm -rf /usr/share/pkgconfig
rm -rf /usr/share/licenses/
rm -rf /usr/share/zsh
rm -rf /usr/lib/.build-id
rm -rf /usr/lib/debug
exit 0

7
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/80-log Normal file
View file

@ -0,0 +1,7 @@
#!/bin/bash
set -xe
rm -rf /var/cache/* /var/log/*
exit 0

10
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/90-initrd Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
set -xe
KERNELVERSION=$(ls /lib/modules)
if [ -f "/boot/efi/$KERNELVERSION/initrd.cdrom" ]; then
mv "/boot/efi/$KERNELVERSION/initrd.cdrom" "/boot/efi/$KERNELVERSION/initrd"
fi
exit 0

11
seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/99-reduce Normal file
View file

@ -0,0 +1,11 @@
#!/bin/bash
set -ex
#
#duperemove -rd /
#
#for size in 1000000000 100000000 10000000 1000000 100000 10000 1000 100 10 1; do
# echo "========================= $size ========================="
# while btrfs filesystem resize -$size /; do :; done
#done
exit 0

63
seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/make_volatile Normal file
View file

@ -0,0 +1,63 @@
#!/bin/bash
set -e
DESTDIR='/usr/lib/tmpfiles.d'
CONF_DST='/usr/share/factory'
EXCLUDES="^(/etc/passwd|/etc/group|/etc/.updated|/etc/.pwd.lock|/etc/pam.d|/etc/systemd/network/dhcp.network|/etc/sudoers.d/qemubuild)$"
ONLY_COPY="^(/etc/localtime)$"
FORCE_LINKS="^(/etc/udev/hwdb.bin)$"
function file_dir_in_tmpfiles() {
letter=$1
directory=$2
mode=$(stat --format "%a" "$directory")
user=$(stat --format "%U" "$directory")
group=$(stat --format "%G" "$directory")
echo "$letter $directory $mode $user $group - -"
}
function calc_symlink_in_tmpfiles() {
dest_name=$1
src_file=$(readlink "$dest_name")
symlink_in_tmpfiles "$dest_name" "$src_file"
}
function symlink_in_tmpfiles() {
dest_name=$1
src_file=$2
echo "L+ $dest_name - - - - $src_file"
}
function main() {
dir_config_orig=$1
mkdir -p "$DESTDIR"
mkdir -p "$CONF_DST$dir_config_orig"
name="${dir_config_orig//\//-}"
systemd_conf="$DESTDIR/risotto$name.conf"
echo "" > $systemd_conf
while IFS= read -r -d '' src_file; do
dest_file="$CONF_DST$src_file"
echo $src_file
if [[ "$src_file" =~ $EXCLUDES ]]; then
echo "$src_file: exclude" >&2
elif [[ -L "$src_file" ]]; then
calc_symlink_in_tmpfiles "$src_file" >> $systemd_conf
elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
elif [[ -d "$src_file" ]]; then
file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
[[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
#echo "$src_file: directory ok"
else
if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
fi
[[ -e "$dest_file" ]] && rm -f "$dest_file"
# not a symlink... an hardlink
ln "$src_file" "$dest_file"
#echo "$src_file: file ok"
fi
done < <(find "$dir_config_orig" -print0)
}
main "$1"
exit 0

24
seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/risotto-run-parts Normal file
View file

@ -0,0 +1,24 @@
#!/usr/bin/bash
# run-parts - concept taken from Debian
set +xe
if [ $# -lt 1 ]; then
echo "Usage: risotto-run-parts <dir>"
exit 1
fi
if [ ! -d $1 ]; then
echo "Not a directory: $1"
exit 1
fi
# Ignore *~ and *, scripts
for i in $(LC_ALL=C; echo ${1%/}/*[^~,]) ; do
[ -d $i ] && continue
[ ! -x $i ] && continue
echo "execute $i"
$i 2>&1
done
exit 0

169
seed/applicationservice/2022.03.08/base-fedora/packer/os/http/ks-34.cfg Normal file
View file

@ -0,0 +1,169 @@
# Keyboard layouts
keyboard --xlayouts='fr (oss)'
# System language
lang fr_FR.UTF-8
# Required settings
rootpw qemubuild
user --name=qemubuild --password=qemubuild --groups=wheel
authconfig --enableshadow --enablemd5
# System timezone
timezone Europe/Paris --utc
repo --name=fedora --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
repo --name=updates --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-\$releasever&arch=\$basearch%%EXTRA_URL%%
# Optional settings
#bootloader --location=mbr
bootloader --disabled
clearpart --all --initlabel
firstboot --enable
#install
network --bootproto=dhcp
reboot
selinux --enforcing
#services --enabled=sshd,zram-swap,systemd-networkd,systemd-resolved
services --enabled=sshd --disabled=systemd-vconsole-setup
skipx
text
zerombr
# Disk partition
part / --fstype="ext2" --ondisk=vda --grow
# btrfs : part btrfs.50 --fstype="btrfs" --ondisk=vda --grow
part /boot/efi --fstype="efi" --ondisk=vda --size=30 --fsoptions="umask=0077,shortname=winnt"
#btrfs none --label=fedora_fedora btrfs.50
#btrfs / --subvol --name=root LABEL=fedora_fedora
# Packages
%packages --excludedocs --instLangs=fr --nocore --exclude-weakdeps
#@core --nodefaults
audit
bash
coreutils
#dracut-config-generic
# btrfs duperemove
#glibc-langpack-fr
kbd
kernel-core
microdnf
openssh-server
openssh-clients
qemu-guest-agent
systemd-networkd
#rpm
#shadow-utils
screen
sudo
systemd
#util-linux
-zram
#
-kernel
%end
# Post
%post
# for microdnf
touch /etc/dnf/dnf.conf
# add qemubuild to sudo
echo "qemubuild ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/qemubuild
# remove unecessary directories
rm -rf /usr/share/doc
rm -rf /usr/share/licenses
#rm -rfv /usr/share/icons/*
# remove some random help txt files
rm -fv /usr/share/gnupg/help*.txt
# Pruning random things
rm usr/lib/rpm/rpm.daily
#some random not-that-useful binaries
rm -fv /usr/bin/pinky
# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
localzone=$(readlink /etc/localtime)
mv $localzone /tmp
rm -rfv /usr/share/zoneinfo
mkdir -p $(dirname $localzone)
mv /tmp/$(basename $localzone) $localzone
# configure systemd-networkd
echo """[Match]
Name=*
[Network]
DHCP=yes""" > /etc/systemd/network/dhcp.network
SYSTEMDDIR=/usr/lib/systemd/system
MULTI=$SYSTEMDDIR/multi-user.target.wants
ln -sf ../systemd-networkd.service $MULTI/systemd-networkd.service
ln -sf ../systemd-resolved.service $MULTI/systemd-resolved.service
# initramfs have to mount iso9660 partition
# install bootload
SYSDISK="/dev/vda2"
MACHINEID=`cat /etc/machine-id`
KERNELVERSION=`ls /lib/modules`
DISK=`lsblk -n $SYSDISK -o uuid`
mkdir /boot/$MACHINEID
# btrfs : echo "root=UUID=$DISK ro rootflags=subvol=root" > /etc/kernel/cmdline
echo "root=UUID=$DISK ro" > /etc/kernel/cmdline
# add CDROM driver
echo 'add_drivers+=" iso9660 "' > /etc/dracut.conf.d/cdrom.conf
kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
mv /boot/$MACHINEID/$KERNELVERSION /boot/efi
# // ADD MOUNT INSTRUCTION IN INITRAMFS
# build second initrd file that mount cdrom to /usr
#echo 'add_fstab+=/tmp/fstab' >> /etc/dracut.conf.d/cdrom.conf
#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,relatime,x-systemd.after=sysroot.mount,x-systemd.before=systemd-volatile-root.service 0 0" > /tmp/fstab
#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,x-initrd.mount,nosuid,noexec,uid=0,gid=0,mode=400 0 0" > /tmp/fstab
echo "[Unit]
DefaultDependencies=no
After=sysroot.mount
Before=initrd-udevadm-cleanup-db.service
#Before=systemd-volatile-root.service
After=blockdev@dev-sr0.target
[Service]
Type=oneshot
ExecStart=mount /dev/sr0 /sysroot/usr/local/lib -t iso9660 -o defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400
" > /usr/lib/systemd/system/sysroot-usr-local-lib.service
# // VERSION .mount
#[Mount]
#Where=/sysroot/usr/local/lib
#What=/dev/sr0
#Type=iso9660
#Options=defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400" > /usr/lib/systemd/system/sysroot-usr-local-lib.mount
mkdir -p /usr/lib/systemd/system/initrd-root-fs.target.requires
cd /usr/lib/systemd/system/initrd-root-fs.target.requires
#ln -sf ../sysroot-usr-local-lib.mount .
ln -sf ../sysroot-usr-local-lib.service .
#echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.mount /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.mount "' >> /etc/dracut.conf.d/cdrom.conf
echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.service /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.service "' >> /etc/dracut.conf.d/cdrom.conf
kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
mv /boot/$MACHINEID/$KERNELVERSION/initrd /boot/efi/$KERNELVERSION/initrd.cdrom
rm -f /etc/dracut.conf.d/cdrom.conf
// END INITRAMFS
# rename entry file without machine ID
mv /boot/loader/entries/$MACHINEID-$KERNELVERSION.conf /boot/loader/entries/fedora.conf
sed -i "/^machine-id /d" /boot/loader/entries/fedora.conf
sed -i "s@/boot/$MACHINEID/$KERNELVERSION/@/$KERNELVERSION/@g" /boot/loader/entries/fedora.conf
# move it in EFI directory for systemd-boot
mv /boot/loader /boot/efi
# remove unused file
rm -rf /lib/modules/$KERNELVERSION/vmlinuz /boot/initramfs* /boot/$MACHINEID
# install systemd-boot
bootctl install
# remove authselect and dracut
microdnf -y remove dracut xz acl authselect authselect-compat authselect-libs chrony cpio libkcapi-hmaccalc libkcapi linux-firmware linux-firmware-whence
# remove python3
microdnf -y remove python3 python3-libs python-pip-wheel python-setuptools-wheel gdbm-libs
# remove langpacks fr
microdnf -y remove langpacks-fr langpacks-core-fr langpacks-core-font-fr dejavu-sans-fonts fonts-filesystem
rm -f /var/lib/systemd/random-seed
rm -rfv /var/lib/authselect
%end

13
seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors Executable file
View file

@ -0,0 +1,13 @@
#!/bin/bash
set -xe
echo "Preprocessors"
if [ ! -z $https_proxy ]; then
sed -i "s@%%EXTRA_URL%%@ --proxy=$https_proxy@g" http/ks-34.cfg
else
sed -i "s@%%EXTRA_URL%%@@g" http/ks-34.cfg
fi
exit 0

71
seed/applicationservice/2022.03.08/base-fedora/packer/os/recipe.json Normal file
View file

@ -0,0 +1,71 @@
{
"builders": [
{
"format": "qcow2",
"headless": true,
"output_directory": "{{user `tmp_directory`}}/output",
"shutdown_command": "echo packer | sudo -S shutdown -P now",
"ssh_password": "qemubuild",
"ssh_username": "qemubuild",
"ssh_wait_timeout": "120m",
"type": "qemu",
"disk_interface": "virtio",
"vm_name": "image.img",
"qemuargs": [
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
],
"memory": "2048",
"vnc_bind_address": "0.0.0.0",
"boot_command": [
"<up>e<down><down><end> inst.text inst.gpt inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks-34.cfg <leftCtrlOn>x<leftCtrlOff> <wait>"
],
"disk_size": "4096",
"iso_checksum_type": "sha256",
"iso_checksum": "e1a38b9faa62f793ad4561b308c31f32876cfaaee94457a7a9108aaddaeec406",
"iso_url": "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Server/x86_64/iso/Fedora-Server-netinst-x86_64-34-1.2.iso",
"http_directory": "{{user `tmp_directory`}}/http"
}
],
"provisioners": [
{
"type": "file",
"source": "{{user `tmp_directory`}}/bin",
"destination": "/tmp/bin"
},
{
"type": "shell",
"inline": [
"sudo mv /tmp/bin/* /usr/local/bin",
"sudo chown root: /usr/local/bin/*",
"sudo chmod +x /usr/local/bin/*"
]
},
{
"type": "file",
"source": "{{user `tmp_directory`}}/scripts",
"destination": "/tmp/scripts"
},
{
"type": "shell",
"inline": [
"sudo chown root: /tmp/scripts/*",
"sudo chmod +x /tmp/scripts/*",
"sudo risotto-run-parts /tmp/scripts/"
]
}
],
"post-processors": [
{
"type": "shell-local",
"inline": [
"sleep 5",
"mkdir -p {{user `tmp_directory`}}/tmp",
"LIBGUESTFS_BACKEND=direct virt-sysprep -a {{user `tmp_directory`}}/output/image.img",
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/image.img",
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
]
}
]
}

7
seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/30-rpm_vaccum Normal file
View file

@ -0,0 +1,7 @@
#!/bin/bash
set -xe
echo VACUUM |sqlite3 /var/lib/rpm/rpmdb.sqlite
exit 0

19
seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/40-locale Normal file
View file

@ -0,0 +1,19 @@
#!/bin/bash
set -xe
find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
find /usr/share/terminfo -mindepth 1 -maxdepth 1 ! -name l ! -name d ! -name s -exec rm -rf '{}' \;
find /usr/share/terminfo/s/screen -type f ! -name screen-256color -delete
find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
rm -rf /usr/lib/kbd/consoletrans
rm -rf /usr/lib/kbd/unimaps
rm -rf /usr/lib/kernel
rm -rf /usr/lib/systemd/boot
rm -rf /usr/share/bash-completion
rm -rf /usr/share/pkgconfig
rm -rf /usr/share/licenses/
rm -rf /usr/lib/debug
exit 0

2
seed/applicationservice/2022.03.08/base-fedora/templates/fedora.conf Normal file
View file

@ -0,0 +1,2 @@
d /var/log/audit 755 root root - -
d /var/log/journal 755 root systemd-journal - -

11
seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service Normal file
View file

@ -0,0 +1,11 @@
[Unit]
Description=Update CA trust
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/bin/update-ca-trust
[Install]
WantedBy=multi-user.target

2
seed/applicationservice/2022.03.08/base/applicationservice.yml Normal file
View file

@ -0,0 +1,2 @@
format: '0.1'
description: Information de base d'un serveur

79
seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml Normal file
View file

@ -0,0 +1,79 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name='general' description="Général">
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
<variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
<variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
<value>False</value>
</variable>
</family>
<family name="dns" description="DNS">
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
<variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
</family>
<family name="interface_" description="Interface " dynamic="interfaces_list">
<variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
<variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
<variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
</family>
</variables>
<constraints>
<fill name="set_linked">
<param name="linked_server" type="variable">dns_client_address</param>
<param name="linked_provider">dns</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="linked_returns">ip</param>
<target>ip_dns</target>
</fill>
<fill name="get_number_of_interfaces">
<param type="information">zones_name</param>
<target>number_of_interfaces</target>
</fill>
<fill name="calc_value">
<param type="information">zones_name</param>
<target>zones_list</target>
</fill>
<fill name="get_range">
<param type="variable">number_of_interfaces</param>
<target>interfaces_list</target>
</fill>
<fill name="get_ip">
<param name="server_name" type="information">server_name</param>
<param name="zones_name" type="information">zones_name</param>
<param name="index" type="suffix"/>
<target>ip_eth</target>
</fill>
<!-- Return "server_name" only for domain_name_eth0 -->
<fill name="get_domain_name">
<param type="information">server_name</param>
<param type="information">extra_domainnames</param>
<param type="suffix"/>
<target>domain_name_eth</target>
</fill>
<fill name="get_zone_name">
<param type="information">zones_name</param>
<param name="index" type="suffix"/>
<target>zone_name_eth</target>
</fill>
<fill name="zone_information">
<param type="variable">zone_name_eth</param>
<param>network</param>
<target>network_eth</target>
</fill>
<fill name="zone_information">
<param type="variable">zone_name_eth</param>
<param>gateway</param>
<param name="index" type="suffix"/>
<target>gateway_eth</target>
</fill>
<check name="valid_entier">
<param name="mini" type="number">1</param>
<target>number_of_interfaces</target>
</check>
</constraints>
</rougail>

14
seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml Normal file
View file

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name='name' description="Machine name" type="domainname" hidden="True"/>
<variable name='data_disk_size' description="Data disk size" type="number"/>
</variables>
<constraints>
<fill name="calc_value">
<param type="variable">domain_name_eth0</param>
<target>machine.name</target>
</fill>
</constraints>
</rougail>

95
seed/applicationservice/2022.03.08/base/funcs/funcs.py Normal file
View file

@ -0,0 +1,95 @@
import __main__
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
from string import ascii_letters as _ascii_letters
from random import choice as _choice
from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
from os import makedirs as _makedirs
HERE = _dirname(_abspath(__main__.__file__))
PASSWORD_DIR = _join(HERE, 'password')
def get_password(server_name: str,
username: str,
description: str,
type: str,
length: int=20,
temporary: bool=True,
) -> str:
if type != 'cleartext':
raise Exception('only cleartext is supported')
def gen_password():
return _token_urlsafe(length)[:length]
return _set_password(server_name,
username,
description,
gen_password,
temporary,
)
def get_password_alpha_num(server_name,
username: str,
description: str,
length,
starts_with_char=False,
):
def gen_password():
password = _token_hex()
if starts_with_char:
password = _choice(_ascii_letters) + password
return password[:length]
return _set_password(server_name,
username,
description,
gen_password,
True,
)
def _set_password(server_name: str,
username: str,
description: str,
gen_password,
temporary,
) -> str:
if not server_name or not username:
return
dir_name = _join('password', server_name, description)
if not _isdir(dir_name):
_makedirs(dir_name)
file_name = _join(dir_name, username)
if not _isfile(file_name):
password = gen_password()
with open(file_name, 'w') as fh:
fh.write(password)
with open(file_name, 'r') as fh:
return fh.read().strip()
def get_range(stop):
return list(range(stop))
def get_number_of_interfaces(zones):
if zones is None:
return 1
return len(zones)
def get_zone_name(zones: list,
index: str,
):
if zones is not None:
return zones[int(index)]
def get_domain_name(server_name: str,
extra_domainnames: list,
suffix: str,
) -> str:
index = int(suffix)
if index == 0:
return server_name
return extra_domainnames[index - 1]

11
seed/applicationservice/2022.03.08/base/manual/install/config.sh Normal file
View file

@ -0,0 +1,11 @@
# root dir configuration
RISOTTO_DIR="/var/lib/risotto"
RISOTTO_IMAGE_DIR="$RISOTTO_DIR/images"
RISOTTO_SRV_DIR="$RISOTTO_DIR/srv"
RISOTTO_CONFIG_DIR="$RISOTTO_DIR/configurations"
MACHINES_DIR="/var/lib/machines"
# image configuration
IMAGE_BASE_RISOTTO_BASE_DIR="$RISOTTO_IMAGE_DIR/image_bases"
IMAGE_NAME_RISOTTO_IMAGE_DIR="$RISOTTO_IMAGE_DIR/$IMAGE_NAME"
IMAGE_NAME_RISOTTO_IMAGE_NAME="$RISOTTO_IMAGE_DIR/$IMAGE_NAME".tar
IMAGE_NAME_MACHINE_LOCK="$MACHINES_DIR/.#$IMAGE_NAME.lck"

14
seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh Normal file
View file

@ -0,0 +1,14 @@
# machine configuration
MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE"
MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE"
MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE"
HOST_DIR="host/configurations/$HOST_NAME"
MACHINE_NAME_NSPAWN="/etc/systemd/nspawn/$MACHINE.nspawn"
MACHINE_NAME_NSPAWN_LOCAL="$HOST_DIR$MACHINE_NAME_NSPAWN"
MACHINE_NAME_SCRIPT="/usr/local/lib/sbin/network-$MACHINE"
MACHINE_NAME_SCRIPT_LOCAL="$HOST_DIR$MACHINE_NAME_SCRIPT"
#MACHINE_MACHINE_LOCK="$MACHINES_DIR/.#$MACHINE.lck"
SHA_MACHINE_DIR="$RISOTTO_CONFIG_DIR/sha"
SHA_MACHINE="$SHA_MACHINE_DIR/$MACHINE".sha

53
seed/applicationservice/2022.03.08/base/manual/install/diff.py Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python3
from os.path import join
from filecmp import dircmp
from difflib import unified_diff
from sys import stdout, argv
from datetime import datetime, timezone
os_name = argv[1]
OLD_DIR = argv[2]
NEW_DIR = argv[3]
FILES = []
def diff_files(dcmp):
for name in dcmp.diff_files:
FILES.append(join(dcmp.right[len(NEW_DIR):], name))
for sub_dcmp in dcmp.subdirs.values():
diff_files(sub_dcmp)
dcmp = dircmp(OLD_DIR, NEW_DIR)
diff_files(dcmp)
date = datetime.now(timezone.utc).isoformat()
title = f"Nouvelle version de la configuration de {os_name}"
subtitle = f"Différence entre les fichiers de configuration de {os_name}"
print(f"""+++
title = "{title}"
description = "{subtitle}"
date = {date}
updated = {date}
draft = false
template = "blog/page.html"
[taxonomies]
authors = ["Automate"]
[extra]
lead = "{subtitle}."
type = "installe"
+++
""")
for filename in FILES:
with open(join(OLD_DIR, filename[1:]), 'r') as ori:
ori_content = ori.readlines()
with open(join(NEW_DIR, filename[1:]), 'r') as new:
new_content = new.readlines()
print(f'- mise à jour du fichier {filename} :\n')
print('```diff')
for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
print(line.rstrip())
print('```')

27
seed/applicationservice/2022.03.08/base/manual/install/install_host Executable file
View file

@ -0,0 +1,27 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
apt install --yes systemd-container dnf jq debootstrap htop
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
systemctl daemon-reload
systemctl restart systemd-sysctl.service
systemctl enable systemd-networkd
systemctl restart systemd-networkd
systemctl enable systemd-resolved
systemctl restart systemd-resolved
# systemctl mask dev-hugepages.mount
#nft add table nat
#nft flush table nat;
#nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
#nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
#nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
exit 0

161
seed/applicationservice/2022.03.08/base/manual/install/install_image Executable file
View file

@ -0,0 +1,161 @@
#!/bin/bash -xe
HOST_NAME=$1
IMAGE_NAME=$2
if [ -z "$IMAGE_NAME" ]; then
echo "PAS DE NOM DE MODULE"
exit 1
fi
. config.sh
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
mkdir -p "$RISOTTO_IMAGE_DIR"
PKG=""
BASE_DIR=""
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
. "$script"
done
if [ -z "$OS_NAME" ]; then
echo "NO OS NAME DEFINED"
exit 0
fi
if [ -z "$RELEASEVER" ]; then
echo "NO RELEASEVER DEFINED"
exit 0
fi
if [ -z "$INSTALL_TOOL" ]; then
echo "NO INSTALL TOOL DEFINED"
exit 0
fi
BASE_NAME="$OS_NAME-$RELEASEVER"
BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
function dnf_opt() {
INSTALL_DIR=$1
INSTALL_PKG=$2
echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
}
function new_package_base() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
else
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
fi
}
function install_base() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeyes $OPT
fi
}
function new_package() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
else
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
fi
}
function install_pkg() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
dnf --assumeyes $OPT
else
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
fi
}
if [ ! -f "$BASE_LOCK" ]; then
rm -rf "$BASE_DIR"
new_package_base
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
install_base
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
tar cf "$BASE_TAR" "$BASE_NAME"
cd -
if [ -f "$BASE_PKGS_FILE" ]; then
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
fi
mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
fi
rm -rf "$BASE_DIR"
touch "$BASE_LOCK"
fi
tar xf "$BASE_TAR"
mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
if [ -n "$COPR" ]; then
#FIXME signature...
mkdir -p "$REPO_DIR"
cd "$REPO_DIR"
wget "$COPR"
cd -
fi
# FIXME verifier s'il y a des modifs sur pre/post
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
echo "Différence(s) avec les paquets de base"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
else
NEW_BASE=true
fi
new_package
if [ "$NEW_BASE" = false ]; then
echo "Différence(s) avec les paquets de l'image"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
else
INSTALL=true
fi
if [ "$INSTALL" = true ]; then
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
else
VERSION=0
fi
mkdir tmp
cd tmp
if [ ! "$VERSION" = 0 ]; then
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
fi
../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
cd -
rm -rf tmp
install_pkg
sleep 2
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
. "$script"
done
CONTAINER=$IMAGE_NAME ./make_volatile /etc
if [ ! "$?" = 0 ]; then
echo "make_volatile failed"
exit 1
fi
cd "$RISOTTO_IMAGE_DIR"
#7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
fi
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
cd -
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
VERSION=$((VERSION + 1))
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
fi
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
exit 0

15
seed/applicationservice/2022.03.08/base/manual/install/install_images Executable file
View file

@ -0,0 +1,15 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
. config.sh
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
for image in *; do
if [ -d "$image" ]; then
./install_image "$HOST_NAME" "$image"
fi
done
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
exit 0

51
seed/applicationservice/2022.03.08/base/manual/install/install_machine Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash -xe
HOST_NAME=$1
IMAGE_NAME=$2
MACHINE=$3
. config.sh
. config_machine.sh
if [ -z "$MACHINE" ]; then
echo "usage: $0 name pkg dns_name"
exit 1
fi
if [ ! -f "$MACHINE_NAME_NSPAWN_LOCAL" ]; then
echo "PAS DE CONFIG NSPAWN $MACHINE_NAME_NSPAWN_LOCAL"
exit 0
fi
if [ ! -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME"
exit 1
fi
if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
machinectl stop "$MACHINE" 2> /dev/null || true
while true; do
machinectl status "$MACHINE" > /dev/null 2>&1 || break
sleep 1
echo "retry..."
done
diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || rm -rf "$MACHINE_MACHINES_DIR"
fi
if [ -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
# fait un diff
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || ( ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md; rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" )
fi
cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
fi
if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
fi
if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
cd "$MACHINES_DIR"
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
mkdir -p "$SHA_MACHINE_DIR"
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
cd -
fi
exit 0

25
seed/applicationservice/2022.03.08/base/manual/install/install_machines Executable file
View file

@ -0,0 +1,25 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
MACHINES=""
for image in *; do
if [ -d "$image" ]; then
for os in $image/configurations/*; do
if [ -d "$os" ]; then
osname="$(basename $os)"
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
MACHINES="$MACHINES$osname "
fi
./install_machine "$HOST_NAME" "$image" "$osname"
fi
done
fi
done
machinectl enable $MACHINES
machinectl start $MACHINES
exit 0

178
seed/applicationservice/2022.03.08/base/manual/install/make_changelog Executable file
View file

@ -0,0 +1,178 @@
#!/usr/bin/env python3
import logging
from dnf.conf import Conf
from dnf.cli.cli import BaseCli, Cli
from dnf.cli.output import Output
from dnf.cli.option_parser import OptionParser
from dnf.i18n import _, ucd
from datetime import datetime, timezone
from sys import argv
from os import getcwd, unlink
from os.path import isfile, join
from glob import glob
from subprocess import run
# List new or removed file
def read_dnf_pkg_file(os_name, filename1, filename2):
if os_name == 'debian':
idx_pkg = 0, 1
idx_version = 1, 2
header_idx = 0, 0
else:
idx_pkg = 0, 0
idx_version = 2, 2
header_idx = 2, 2
pass
pkgs = {}
for fidx, filename in enumerate((filename1, filename2)):
if not isfile(filename):
continue
with open(filename, 'r') as pkgs_fh:
for idx, pkg_line in enumerate(pkgs_fh.readlines()):
if idx < header_idx[fidx]:
# header
print("béééé")
continue
sp_line = pkg_line.strip().split()
if len(sp_line) < idx_version[fidx] + 1:
continue
if sp_line[idx_pkg[fidx]] in pkgs:
raise Exception(f'package already set {sp_line[0]}?')
version = sp_line[idx_version[fidx]]
if os_name == 'debian' and version.startswith('('):
version = version[1:]
pkgs[sp_line[idx_pkg[fidx]]] = version
return pkgs
def list_packages(title, packages, packages_info):
print(f'# {title}\n')
if not packages:
print('*Aucun*')
packages = list(packages)
packages = sorted(packages)
for idx, pkg in enumerate(packages):
print(f' - {pkg} ({packages_info[pkg]})')
print()
# List updated packages
class CustomOutput(Output):
def listPkgs(self, *args, **kwargs):
# do not display list
pass
def format_changelog_markdown(changelog):
"""Return changelog formatted as in spec file"""
text = '\n'.join([f' {line}' for line in changelog['text'].split('\n')])
chlog_str = ' - %s %s\n\n%s\n' % (
changelog['timestamp'].strftime("%a %b %d %X %Y"),
ucd(changelog['author']),
ucd(text))
return chlog_str
def print_changelogs_markdown(packages):
# group packages by src.rpm to avoid showing duplicate changelogs
self = BASE
bysrpm = dict()
for p in packages:
# there are packages without source_name, use name then.
bysrpm.setdefault(p.source_name or p.name, []).append(p)
for source_name in sorted(bysrpm.keys()):
bin_packages = bysrpm[source_name]
print('- ' + _("Changelogs for {}").format(', '.join([str(pkg) for pkg in bin_packages])))
print()
for chl in self.latest_changelogs(bin_packages[0]):
print(format_changelog_markdown(chl))
def dnf_update(image_name):
conf = Conf()
# obsoletes are already listed
conf.obsoletes = False
with BaseCli(conf) as base:
global BASE
BASE = base
base.print_changelogs = print_changelogs_markdown
custom_output = CustomOutput(base.output.base, base.output.conf)
base.output = custom_output
cli = Cli(base)
image_dir = join(getcwd(), image_name)
cli.configure(['--setopt=install_weak_deps=False', '--nodocs', '--noplugins', '--installroot=' + image_dir, '--releasever', '35', 'check-update', '--changelog'], OptionParser())
logger = logging.getLogger("dnf")
for h in logger.handlers:
logger.removeHandler(h)
logger.addHandler(logging.NullHandler())
cli.run()
def main(os_name, image_name, old_version, releasever):
date = datetime.now(timezone.utc).isoformat()
if old_version == 0:
title = f"Création de l'image {image_name}"
subtitle = f"Les paquets de la première image {image_name} sur base Fedora {releasever}"
else:
title = f"Nouvelle version de l'image {image_name}"
subtitle = f"Différence des paquets de l'image {image_name} sur base Fedora {releasever} entre la version {old_version} et {old_version + 1}"
print(f"""+++
title = "{title}"
description = "{subtitle}"
date = {date}
updated = {date}
draft = false
template = "blog/page.html"
[taxonomies]
authors = ["Automate"]
[extra]
lead = "{subtitle}."
type = "installe"
+++
""")
new_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/image_bases-{os_name}-{releasever}.pkgs', f'/var/lib/risotto/images/{image_name}.pkgs.new')
new_pkg = new_dict.keys()
old_file = f'/var/lib/risotto/images/{image_name}.pkgs'
if not old_version or not isfile(old_file):
list_packages('Liste des paquets', new_pkg, new_dict)
else:
ori_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/{image_name}.base.pkgs', old_file)
ori_pkg = ori_dict.keys()
list_packages('Les paquets supprimés', ori_pkg - new_pkg, ori_dict)
list_packages('Les paquets ajoutés', new_pkg - ori_pkg, new_dict)
print('# Les paquets mises à jour\n')
if os_name == 'fedora':
dnf_update(image_name)
else:
for filename in glob('*.deb'):
unlink(filename)
for package in ori_pkg & new_dict:
if ori_dict[package] == new_dict[package]:
continue
run(['apt', 'download', package])
packages = list(glob('*.deb'))
packages.sort()
for package in packages:
info = run(['apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
header = True
for line in info.split('\n'):
if not header:
print(line)
if line.startswith('-----------------------'):
header = False
print()
unlink(package)
if __name__ == "__main__":
image_name = argv[1]
old_version = int(argv[2])
os_name = argv[3]
releasever = argv[4]
main(os_name, image_name, old_version, releasever)

77
seed/applicationservice/2022.03.08/base/manual/install/make_volatile Executable file
View file

@ -0,0 +1,77 @@
#!/bin/bash -e
if [ -z $CONTAINER ]; then
echo "PAS DE CONTAINER"
exit 1
fi
ROOT="/var/lib/risotto/images/$CONTAINER"
echo "$ROOT"
DESTDIR="$ROOT/usr/lib/tmpfiles.d"
CONF_DST="/usr/share/factory"
EXCLUDES="^($ROOT/etc/passwd|$ROOT/etc/group|$ROOT/etc/.updated|$ROOT/etc/.pwd.lock|$ROOT/etc/systemd/network/dhcp.network|$ROOT/etc/sudoers.d/qemubuild)$"
ONLY_COPY="^($ROOT/etc/localtime)$"
FORCE_LINKS="^($ROOT/etc/udev/hwdb.bin)$"
function execute() {
chroot $ROOT $@
}
function file_dir_in_tmpfiles() {
letter=$1
directory=$2
local_directory=$(echo $directory|sed "s@^$ROOT@@g")
mode=$(execute "/usr/bin/stat" "--format" "%a" "$local_directory" | grep -o "[0-9.]\+")
user=$(execute "/usr/bin/stat" "--format" "%U" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
group=$(execute "/usr/bin/stat" "--format" "%G" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
echo "$letter $local_directory $mode $user $group - -"
}
function calc_symlink_in_tmpfiles() {
dest_name=$1
local_dest_name=$2
src_file=$(readlink "$dest_name")
symlink_in_tmpfiles "$local_dest_name" "$src_file"
}
function symlink_in_tmpfiles() {
dest_name=$1
src_file=$2
echo "L+ $dest_name - - - - $src_file"
}
function main() {
dir_config_orig=$1
name="${dir_config_orig//\//-}"
dir_config_orig=$ROOT$dir_config_orig
mkdir -p "$DESTDIR"
mkdir -p "$ROOTCONF_DST$dir_config_orig"
systemd_conf="$DESTDIR/risotto$name.conf"
rm -f $systemd_conf
shopt -s globstar
for src_file in $dir_config_orig/**; do
local_src=$(echo $src_file|sed "s@$ROOT@@g")
dest_file="$ROOT$CONF_DST$local_src"
if [[ "$src_file" =~ $EXCLUDES ]]; then
echo "$src_file: exclude" >&2
elif [[ -L "$src_file" ]]; then
calc_symlink_in_tmpfiles "$src_file" "$local_src" >> $systemd_conf
elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
elif [[ -d "$src_file" ]]; then
file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
[[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
#echo "$src_file: directory ok"
else
if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
fi
[[ -e "$dest_file" ]] && rm -f "$dest_file"
# not a symlink... an hardlink
ln "$src_file" "$dest_file"
#echo "$src_file: file ok"
fi
done
}
main "$1"
echo "fin"
exit 0

67
seed/applicationservice/2022.03.08/dovecot/DEBUG.md Normal file
View file

@ -0,0 +1,67 @@
# recherche d'un utilisateur :
```
USER=gnunux@gnunux.info
su - postfix -s /bin/bash -c "postmap -q $USER ldap:/etc/postfix/ldapsource.cf"
```
Doit retourner le nom de l'utilisateur.
Il est possible de demander le mode verbeux :
```
su - postfix -s /bin/bash -c "postmap -vq $USER ldap:/etc/postfix/ldapsource.cf"
```
# Test with telnet
EHLO root.gnunux.info
[..]
250-AUTH PLAIN LOGIN
[..]
MAIL FROM:<gnunux@gnunux.info>
RCPT TO:<gnunux@gnunux.info>
DATA
To:<gnunux@gnunux.info>
From:<gnunux@gnunux.info>
Subject:SMTP Test
This is a test message
.
# auth with telnet
echo -ne '\000gnunux@gnunux.info\000password' | openssl base64
openssl s_client -connect 192.168.45.13:25 -starttls smtp
EHLO client.example.com
[..]
AUTH PLAIN AGdudW51eEBnbnVudXguaW5mbwBxVV96Vl9kbEUzUm82WmpTcjFHOGNzbmd4ajA=
235 2.7.0 Authentication successful
# Un élément de configuration
postconf maillog_file
# Editer la configuration
postconf maillog_file=/dev/stdout
# debug
You can easily print the last 1000 error messages of a running Dovecot:
doveadm log errors
## debug
sed -i 's/#mail_debug = no/mail_debug = yes/g' /etc/dovecot/conf.d/10-logging.conf
systemctl restart dovecot
## ldap debug
echo "debug_level = -1" >> /etc/dovecot/dovecot-ldap.conf.ext
systemctl restart dovecot
## oauth debug
echo "debug = yes" >> /etc/dovecot/dovecot-oauth2.conf.ext
systemctl restart dovecot

2
seed/applicationservice/2022.03.08/dovecot/FIXME Normal file
View file

@ -0,0 +1,2 @@
SPF : https://www.djaodjin.com/blog/postfix-dovecot-openldap.blog.html
Postcreen : modoboa_installer/scripts/files/postfix/main.cf.tpl

7
seed/applicationservice/2022.03.08/dovecot/applicationservice.yml Normal file
View file

@ -0,0 +1,7 @@
format: '0.1'
description: Postfix et Dovecot
depends:
- base-fedora-35
- relay-mail-client
- ldap-client-fedora
- oauth2-client

107
seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml Normal file
View file

@ -0,0 +1,107 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="postfix" target="multi-user">
<override/>
<file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
<file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/postfix/relay_passwd</file>
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file>
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
</service>
<service name='dovecot-init'>
<override/>
</service>
<service name="dovecot" target="multi-user">
<file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
<file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
<file>/etc/dovecot/conf.d/10-master.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-ssl.conf</file>
<!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
<file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
<file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
<file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
<!--plain authentification-->
<file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
<file>/etc/dovecot/dovecot-ldap.conf.ext</file>
<!--oauth2 authentification-->
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
<!--internal authentification-->
<file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
<file>/etc/dovecot/risotto_users</file>
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
<file>/etc/pki/tls/certs/dovecot.crt</file>
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
</service>
</services>
<variables>
<family name="annuaire">
<variable name="ldap_key_file_owner" redefine="True">
<value>dovecot</value>
</variable>
<variable name="ldap_key_file_group" redefine="True">
<value>postfix</value>
</variable>
</family>
<family name="postfix" description="Postfix mail server">
<variable name="postfix_my_domains" type="domainname" description="Domaine de courriel généré localement" mandatory="True" multi="True"/>
<variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
</family>
<family name="dovecot" description="IMAP mail server">
<variable name='dovecot_ca_chain' description="CA certificate" hidden='True'/>
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
</family>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
</family>
</variables>
<constraints>
<fill name="get_chain">
<param name="authority_cn" type="variable">domain_name_eth0</param>
<param name="authority_name">MailServer</param>
<target>postfix_ca_chain</target>
</fill>
<fill name="get_chain">
<param name="authority_cn" type="variable">domain_name_eth0</param>
<param name="authority_name">IMAPServer</param>
<target>dovecot_ca_chain</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/>
<param name="description">local authentification</param>
<param name="type">cleartext</param>
<target>local_authentification_password_</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>postfix_my_domains</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_criteria</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>postfix_my_domains</target>
</check>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_ReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
</constraints>
</rougail>

9
seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py Normal file
View file

@ -0,0 +1,9 @@
from crypt import crypt as _crypt
from string import ascii_letters as _ascii_letters, digits as _digits
from secrets import choice as _choice
def sha512_crypt(password):
salt = ''.join([_choice(_ascii_letters + _digits) for _ in range(8)])
prefix = '$6$'
return _crypt(password, prefix + salt)

1
seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh Normal file
View file

@ -0,0 +1 @@
PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain"

1
seed/applicationservice/2022.03.08/dovecot/templates/00-risotto.conf Normal file
View file

@ -0,0 +1 @@
protocols = imap lmtp

142
seed/applicationservice/2022.03.08/dovecot/templates/10-auth.conf Normal file
View file

@ -0,0 +1,142 @@
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
#>GNUNUX
disable_plaintext_auth = yes
#<GNUNUX
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
#>GNUNUX
auth_mechanisms = $auth_mechanisms xoauth2
#FIXME oauthbearer?
#<GNUNUX
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#GNUNUX!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext
#>GNUNUX
# Webmail auth (ie. roundcube)
!include auth-oauth2.conf.ext
# IMAP auth
!include auth-ldap.conf.ext
# Internal users (ie. roundcube)
!include auth-passwdfile.conf.ext
#<GNUNUX

115
seed/applicationservice/2022.03.08/dovecot/templates/10-logging.conf Normal file
View file

@ -0,0 +1,115 @@
##
## Log destination.
##
# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#>GNUNUX
log_path = syslog
#<GNUNUX
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#>GNUNUX
syslog_facility = mail
#<GNUNUX
##
## Logging verbosity and debugging.
##
# Log filter is a space-separated list conditions. If any of the conditions
# match, the log filter matches (i.e. they're ORed together). Parenthesis
# are supported if multiple conditions need to be matched together.
#
# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.
#
# For example: event=http_request_* AND category=error AND category=storage
#
# Filter to specify what debug logging to enable. This will eventually replace
# mail_debug and auth_debug settings.
#log_debug =
# Crash after logging a matching event. For example category=error will crash
# any time an error is logged, which can be useful for debugging.
#log_core_filter =
# Log unsuccessful authentication attempts and the reasons why they failed.
#>GNUNUX
auth_verbose = yes
#<GNUNUX
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#>GNUNUX
auth_verbose_passwords = no
#<GNUNUX
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
# Show protocol level SSL errors.
#verbose_ssl = no
# mail_log plugin provides more event logging for mail processes.
plugin {
# Events to log. Also available: flag_change append
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
# size and vsize are available only for expunge and copy events.
#>GNUNUX
mail_log_fields = uid box msgid size
#<GNUNUX
}
##
## Log formatting.
##
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
# Format to use for logging mail deliveries:
# %$ - Delivery status message (e.g. "saved to INBOX")
# %m / %{msgid} - Message-ID
# %s / %{subject} - Subject
# %f / %{from} - From address
# %p / %{size} - Physical size
# %w / %{vsize} - Virtual size
# %e / %{from_envelope} - MAIL FROM envelope
# %{to_envelope} - RCPT TO envelope
# %{delivery_time} - How many milliseconds it took to deliver the mail
# %{session_time} - How long LMTP session took, not including delivery_time
# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
#deliver_log_format = msgid=%m: %$

418
seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf Normal file
View file

@ -0,0 +1,418 @@
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
#>GNUNUX
mail_location = maildir:/srv/mail/%u
#<GNUNUX
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# useful when converting from another server with different namespaces which
# you want to deprecate but still keep working. For example you can create
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
#hidden = no
# Show the mailboxes under this namespace with LIST command. This makes the
# namespace visible for clients that don't support NAMESPACE extension.
# "children" value lists child mailboxes, but hides the namespace prefix.
#list = yes
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
# See 15-mailboxes.conf for definitions of special mailboxes.
}
# Example shared namespace configuration
#namespace {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# %%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
# Mail location for other users' mailboxes. Note that %variables and ~/
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
# destination user's data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment".
#mail_server_comment = ""
# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
##
## Mail attachments
##
# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k
# Filesystem backend to use for saving attachments:
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
# sis posix : SiS with immediate byte-by-byte comparison during saving
# sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix
# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =

156
seed/applicationservice/2022.03.08/dovecot/templates/10-master.conf Normal file
View file

@ -0,0 +1,156 @@
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
#port = 143
#>GNUNUX
port = 0
#<GNUNUX
}
inet_listener imaps {
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
#>GNUNUX
port = 0
#<GNUNUX
}
inet_listener pop3s {
#>GNUNUX
port = 0
#<GNUNUX
#port = 995
#ssl = yes
}
}
service submission-login {
inet_listener submission {
#port = 587
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
#>GNUNUX
inet_listener lmtp {
address = %%ip_eth0
port = 8024
}
#<GNUNUX
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service submission {
# Max. number of SMTP Submission processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
#>GNUNUX
mode = 0666
user = vmail
#<GNUNUX
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
#>GNUNUX
unix_listener /srv/dovecot/auth {
mode = 0666
user = postfix
group = postfix
}
#<GNUNUX
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}

90
seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf Normal file
View file

@ -0,0 +1,90 @@
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
#>GNUNUX
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
#<GNUNUX
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/pki/dovecot/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =
ssl_client_ca_file = /etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
#ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_cipher_list = PROFILE=SYSTEM
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =

23
seed/applicationservice/2022.03.08/dovecot/templates/12-managesieve.conf Normal file
View file

@ -0,0 +1,23 @@
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1
# Number of processes to always keep waiting for more connections.
process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
vsz_limit = 64M
}

51
seed/applicationservice/2022.03.08/dovecot/templates/15-ldap.conf Normal file
View file

@ -0,0 +1,51 @@
##
## LDA specific settings (also used by LMTP)
##
# Address to use when sending rejection mails.
# Default is postmaster@%d. %d expands to recipient domain.
#postmaster_address =
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
# in LMTP replies. Default is the system's real hostname@domain.
#hostname =
# If user is over quota, return with temporary failure instead of
# bouncing the mail.
#quota_full_tempfail = no
# Binary to use for sending mails.
#sendmail_path = /usr/sbin/sendmail
# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
#submission_host =
# Subject: header to use for rejection mails. You can use the same variables
# as for rejection_reason below.
#rejection_subject = Rejected: %s
# Human readable error message for rejection mails. You can use variables:
# %n = CRLF, %r = reason, %s = original subject, %t = recipient
#rejection_reason = Your message to <%t> was automatically rejected:%n%r
# Delimiter character between local-part and detail in email address.
#recipient_delimiter = +
# Header where the original recipient address (SMTP's RCPT TO: address) is taken
# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
# A commonly used header for this is X-Original-To.
#lda_original_recipient_header =
# Should saving a mail to a nonexistent mailbox automatically create it?
#lda_mailbox_autocreate = no
# Should automatically created mailboxes be also automatically subscribed?
#lda_mailbox_autosubscribe = no
# GNUNUX protocol lda {
# GNUNUX # Space separated list of plugins to load (default is global mail_plugins).
# GNUNUX #mail_plugins = $mail_plugins
# GNUNUX #>GNUNUX
# GNUNUX mail_plugins = sieve
# GNUNUX #<GNUNUX
# GNUNUX }

12
seed/applicationservice/2022.03.08/dovecot/templates/30-service-stats.conf Normal file
View file

@ -0,0 +1,12 @@
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}

39
seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext Normal file
View file

@ -0,0 +1,39 @@
# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
# driver = prefetch
#}
# GNUNUX userdb {
# GNUNUX driver = ldap
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
# GNUNUX
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
# GNUNUX #default_fields = home=/home/virtual/%u
# GNUNUX }
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
#driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u
#}
#>GNUNUX
userdb {
driver = static
args = uid=vmail gid=vmail home=/srv/mail/%u
}
#<GNUNUX

6
seed/applicationservice/2022.03.08/dovecot/templates/auth-oauth2.conf.ext Normal file
View file

@ -0,0 +1,6 @@
# GNUNUX see /usr/share/doc/dovecot/wiki/PasswordDatabase.oauth2.txt
passdb {
driver = oauth2
mechanisms = xoauth2 #FIXME oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}

21
seed/applicationservice/2022.03.08/dovecot/templates/auth-passwdfile.conf.ext Normal file
View file

@ -0,0 +1,21 @@
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
# GNUNUX args = scheme=CRYPT username_format=%u /etc/dovecot/users
args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/risotto_users
}
# GNUNUX userdb {
# GNUNUX driver = passwd-file
# GNUNUX args = username_format=%u /etc/dovecot/users
# GNUNUX
# GNUNUX # Default fields that can be overridden by passwd-file
# GNUNUX #default_fields = quota_rule=*:storage=1G
# GNUNUX
# GNUNUX # Override fields from passwd-file
# GNUNUX #override_fields = home=/home/virtual/%u
# GNUNUX }

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt Normal file
View file

@ -0,0 +1 @@
%%dovecot_ca_chain

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt Normal file
View file

@ -0,0 +1 @@
%%postfix_ca_chain

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt Normal file
View file

@ -0,0 +1 @@
%%get_chain(%%revprox_server_domainname, authority_name='ReverseProxy')

6
seed/applicationservice/2022.03.08/dovecot/templates/dovecot-init.service Normal file
View file

@ -0,0 +1,6 @@
[Unit]
After=network.target
[Service]
ExecStart=
ExecStart=/bin/true

181
seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext Normal file
View file

@ -0,0 +1,181 @@
# SEE /usr/share/doc/dovecot/example-config/dovecot-ldap.conf.ext
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:
# access to attribute=userPassword
# by dn="<dovecot's dn>" read # add this
# by anonymous auth
# by self write
# by * none
# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts =
# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris =
#>GNUNUX
uris = ldaps://%%ldap_server_address
#<GNUNUX
# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
#dn =
# Password for LDAP server, if dn is specified.
#dnpass =
#>GNUNUX
dn = %%ldapclient_remote_user
dnpass = %%ldapclient_remote_user_password
#<GNUNUX
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =
# Use TLS to connect to the LDAP server.
#tls = no
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
#tls_require_cert =
#>GNUNUX
tls_cert_file = %%ldap_cert_file
tls_key_file = %%ldap_key_file
tls_ca_cert_file = %%ldap_ca_file
tls_require_cert = hard
#>GNUNUX
# Use the given ldaprc path.
#ldaprc_path =
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 0
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =
#>GNUNUX
auth_bind = yes
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
#<GNUNUX
# LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
# GNUNUX base =
base = ou=users,%%ldap_base_dn
# Dereference: never, searching, finding, always
#deref = never
# Search scope: base, onelevel, subtree
#scope = subtree
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
#>GNUNUX
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
#<GNUNUX
# Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#pass_attrs = uid=user,userPassword=password
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
#>GNUNUX
pass_attrs = cn=user
pass_filter = (&(objectClass=inetOrgPerson)(cn=%u))
#<GNUNUX
# Attributes and filter to get a list of all users
#iterate_attrs = uid=user
#iterate_filter = (objectClass=posixAccount)
#>GNUNUX
iterate_attrs = cn=user
iterate_filter = (&(objectClass=inetOrgPerson)(cn=%u))
#<GNUNUX
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
# By default all LDAP lookups are performed by the auth master process.
# If blocking=yes, auth worker processes are used to perform the lookups.
# Each auth worker process creates its own LDAP connection so this can
# increase parallelism. With blocking=no the auth master process can
# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
# each connection has a maximum of 1 request running. For small systems the
# blocking=no is sufficient and uses less resources.
#blocking = no

92
seed/applicationservice/2022.03.08/dovecot/templates/dovecot-oauth2.conf.ext Normal file
View file

@ -0,0 +1,92 @@
# GNUNUX from : /usr/share/doc/dovecot/example-config/dovecot-oauth2.conf.ext
### OAuth2 password database configuration
## url for verifying token validity. Token is appended to the URL
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
#>GNUNUX
tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
#<GNUNUX
## introspection endpoint, used to gather extra fields and other information.
# introspection_url = http://endpoint/oauth/me
## How introspection is made, valid values are
## auth = GET request with Bearer authentication
## get = GET request with token appended to URL
## post = POST request with token=bearer_token as content
## local = perform local validation only
# introspection_mode = auth
## Force introspection even if tokeninfo contains wanted fields
## Set this to yes if you are using active_attribute
# force_introspection = no
#>GNUNUX
introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
introspection_mode = post
force_introspection = no
#<GNUNUX
## Validation key dictionary (e.g. fs:posix:prefix=/etc/dovecot/keys/)
## Lookup key is /shared/<azp:default>/<alg>/<kid:default>
# local_validation_key_dict =
## A single wanted scope of validity (optional)
# scope = something
#>GNUNUX
#scope = openid,profile,email
#<GNUNUX
## username attribute in response (default: email)
# username_attribute = email
#>GNUNUX
username_attribute = email
#<GNUNUX
## username normalization format (default: %Lu)
# username_format = %Lu
## Attribute name for checking whether account is disabled (optional)
# active_attribute =
## Expected value in active_attribute (empty = require present, but anything goes)
# active_value =
## Expected issuer(s) for the token (space separated list)
# issuers =
## URL to RFC 7628 OpenID Provider Configuration Information schema
# openid_configuration_url =
#>GNUNUX
openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
#<GNUNUX
## Extra fields to set in passdb response (in passdb static style)
# pass_attrs =
## Timeout in milliseconds
# timeout_msecs = 0
## Enable debug logging
# debug = no
## Max parallel connections (how many simultaneous connections to open)
# max_parallel_connections = 10
## Max pipelined requests (how many requests to send per connection, requires server-side support)
# max_pipelined_requests = 1
## HTTP request raw log directory
# rawlog_dir = /tmp/oauth2
#>GNUNUX
client_id = %%oauth2_client_id
client_secret = %%oauth2_client_secret
#<GNUNUX
## TLS settings
# tls_ca_cert_file = /path/to/ca-certificates.txt
# tls_ca_cert_dir = /path/to/certs/
# tls_cert_file = /path/to/client/cert
# tls_key_file = /path/to/client/key
# tls_cipher_suite = HIGH:!SSLv2
# tls_allow_invalid_cert = FALSE

5
seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt Normal file
View file

@ -0,0 +1,5 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)

1
seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, 'IMAPServer')

13
seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf Normal file
View file

@ -0,0 +1,13 @@
server_host = ldaps://%%ldap_server_address
server_port = %%ldap_port
tls_cert = %%ldap_cert_file
tls_key = %%ldap_key_file
tls_ca_cert_file = %%ldap_ca_file
tls_require_cert = yes
version = 3
bind = yes
bind_dn = %%ldapclient_remote_user
bind_pw = %%ldapclient_remote_user_password
search_base = ou=users,%%ldap_base_dn
query_filter = (mail=%s)
result_attribute = cn

808
seed/applicationservice/2022.03.08/dovecot/templates/main.cf Normal file
View file

@ -0,0 +1,808 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# COMPATIBILITY
#
# The compatibility_level determines what default settings Postfix
# will use for main.cf and master.cf settings. These defaults will
# change over time.
#
# To avoid breaking things, Postfix will use backwards-compatible
# default settings and log where it uses those old backwards-compatible
# default settings, until the system administrator has determined
# if any backwards-compatible default settings need to be made
# permanent in main.cf or master.cf.
#
# When this review is complete, update the compatibility_level setting
# below as recommended in the RELEASE_NOTES file.
#
# The level below is what should be used with new (not upgrade) installs.
#
compatibility_level = 3.6
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
# GNUNUX queue_directory = /var/spool/postfix
queue_directory = /srv/postfix/spool
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
# GNUNUX data_directory = /var/lib/postfix
data_directory = /srv/postfix/data
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = %%domain_name_eth0
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
myorigin = %%domain_name_eth0
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
# GNUNUX inet_interfaces = localhost
inet_interfaces = all
# Enable IPv4, and IPv6 if supported
inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain + localhost. On
# a mail domain gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
#>GNUNUX
unverified_recipient_reject_code = 550
#<GNUNUX
# TRUST AND RELAY CONTROL
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_client,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unlisted_recipient,
# FIXME check_sender_access hash:/etc/postfix/sender_access,
# FIXME check_recipient_access hash:/etc/postfix/recv_access,
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.3.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
mynetworks = 172.0.0.0/8
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#>GNUNUX
relayhost = %%smtp_relay_address
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_security_options = noanonymous
#<GNUNUX
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
#>GNUNUX
recipient_delimiter = +
#<GNUNUX
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen session, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix/README_FILES
# TLS CONFIGURATION
#
# Basic Postfix TLS configuration by default with self-signed certificate
# for inbound SMTP and also opportunistic TLS for outbound SMTP.
# The full pathname of a file with the Postfix SMTP server RSA certificate
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
# Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound).
#
smtpd_tls_security_level = may
# Directory with PEM format Certification Authority certificates that the
# Postfix SMTP client uses to verify a remote SMTP server certificate.
#
smtp_tls_CApath = /etc/pki/tls/certs
# The full pathname of a file containing CA certificates of root CAs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
smtp_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
#>GNUNUX
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_use_tls = yes
mailbox_size_limit = 0
message_size_limit = 202400000
biff = no
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
smtpd_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_type = dovecot
smtpd_sasl_path = /srv/dovecot/auth
broken_sasl_auth_clients = yes
dovecot_destination_recipient_limit = 1
virtual_mailbox_domains = %echo ', '.join(%%postfix_my_domains)
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
virtual_minimum_uid = 1000
#vmail uid
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_transport = dovecot
virtual_mailbox_base = /srv/mail
#<GNUNUX

146
seed/applicationservice/2022.03.08/dovecot/templates/master.cf Normal file
View file

@ -0,0 +1,146 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - n - - smtpd
#>GNUNUX
submission inet n - n - - smtpd
#<GNUNUX
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - n - - smtpd
#smtps inet n - n - - smtpd
#>GNUNUX
smtps inet n - n - - smtpd
#<GNUNUX
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#>GNUNUX
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
#>GNUNUX

5
seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt Normal file
View file

@ -0,0 +1,5 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)

1
seed/applicationservice/2022.03.08/dovecot/templates/postfix.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, 'MailServer')

3
seed/applicationservice/2022.03.08/dovecot/templates/postfix.service Normal file
View file

@ -0,0 +1,3 @@
[Service]
ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd
PIDFile=/srv/postfix/spool/pid/master.pid

2
seed/applicationservice/2022.03.08/dovecot/templates/relay_passwd Normal file
View file

@ -0,0 +1,2 @@
%%smtp_relay_address %%smtp_relay_user@%%ip_eth0:%%smtp_relay_password

6
seed/applicationservice/2022.03.08/dovecot/templates/risotto_users Normal file
View file

@ -0,0 +1,6 @@
%for %%local in %%dovecot_local_authentifications
%set %%user = %%normalize_family(%%local)
%set %%password = %%getVar('local_authentification_password_' + %%user)
%set %%ip = %%getVar('local_authentification_ip_' + %%user)
%%user:{SHA512-CRYPT}%%sha512_crypt(%%password)::::::allow_nets=%%ip
%end for

6
seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf Normal file
View file

@ -0,0 +1,6 @@
g dovecot 97 -
g dovenull 982 -
g vmail 999 -
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin

8
seed/applicationservice/2022.03.08/dovecot/templates/sysuser-postfix.conf Normal file
View file

@ -0,0 +1,8 @@
g mail 12 -
g postfix 89 -
g postdrop 90 -
u mail 8:12 "mail" /var/spool/mail /sbin/nologin
u postfix 89:89 "Postfix" /srv/postfix/spool /sbin/nologin
# useful?
m postfix mail
m postfix opendkim

1
seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf Normal file
View file

@ -0,0 +1 @@
d /srv/dovecot 750 dovecot postfix - -

Some files were not shown because too many files have changed in this diff Show more