fork from cadoles' risotto-dataset
This commit is contained in:
parent
57ef44abbc
commit
a093f49780
415 changed files with 22885 additions and 0 deletions
68
doc/certificates.md
Normal file
68
doc/certificates.md
Normal file
|
@ -0,0 +1,68 @@
|
|||
# Généré des certificats via la PKI interne de mini_risotto
|
||||
|
||||
## Génération des certificates sur le serveur
|
||||
|
||||
Création la variable contenant la chain :
|
||||
|
||||
```
|
||||
<variables>
|
||||
<variable name='service_ca_chain' description="CA certificate" hidden='True'/>
|
||||
</variable>
|
||||
```
|
||||
|
||||
Création d'une autorité avec le nom "AuthorityName" (le nom est un terme en CamelCase) :
|
||||
|
||||
```
|
||||
<fill name="get_chain">
|
||||
<param name="cn" type="information">server_name</param>
|
||||
<param name="authority_cn" type="information">server_name</param>
|
||||
<param name="authority_name">AuthorityName</param>
|
||||
<target>service_chain</target>
|
||||
</fill>
|
||||
```
|
||||
|
||||
La création du fichier de CA est simple, il suffit d'utiliser la variable "service_ca_chain".
|
||||
|
||||
Puis il faut créer le certificat avec un template qui contient :
|
||||
|
||||
```
|
||||
%%get_certificate(%%domain_name_eth0, authority_name="AuthorityName")
|
||||
```
|
||||
|
||||
Si l'autorité n'est pas gérer par le serveur courant, il faut précicer le nom du serveur responsable de l'autorité :
|
||||
|
||||
```
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%server, authority_name="AuthorityName")
|
||||
```
|
||||
|
||||
Enfin, le certificat peut avoir plusieurs nom de domaine, dans ce cas on peut le gérer par exemple en faisant :
|
||||
|
||||
```
|
||||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
|
||||
```
|
||||
|
||||
Enfin on peut récupérer la clef privée (attention APRÉS avoir récupérer le certificat) :
|
||||
|
||||
```
|
||||
%get_private_key(%%domain_name_eth0, %%server)
|
||||
```
|
||||
|
||||
Comme le certificat, l'autorité peut ne pas être de la responsabilité du serveur courant :
|
||||
|
||||
```
|
||||
%get_private_key(%%domain_name_eth0, authority_cn=%%server, authority_name="ReverseProxy")
|
||||
```
|
||||
|
||||
## PKI sous Fedora
|
||||
|
||||
Création des fichiers pour l'autorité "AuthorityName" pour le service "service" :
|
||||
|
||||
```
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_AuthorityName.crt</file>
|
||||
<file>/etc/pki/tls/certs/service.crt</file>
|
||||
<file owner="root" group="root" mode="400">/etc/pki/tls/private/service.key</file>
|
||||
```
|
21
doc/format.txt
Normal file
21
doc/format.txt
Normal file
|
@ -0,0 +1,21 @@
|
|||
Modèle de serveur
|
||||
=================
|
||||
|
||||
name : nom du serveur modèle
|
||||
description : description du serveur modèle
|
||||
applicationservice : application service spécifique à ce serveur modèle
|
||||
os_name : nom de l'image
|
||||
os_version : version de l'image
|
||||
iso : URL de téléchargement de l'image
|
||||
|
||||
Service applicatif
|
||||
==================
|
||||
|
||||
format : numéro du format
|
||||
name : nom du service applicatif
|
||||
description: description du service applicatifs
|
||||
depends : liste de dépendances vers d'autres service applicatifs
|
||||
packages : liste de paquets logiciel a installé dans l'image
|
||||
os : liste des "os_name" et "os_version" compatible avec ce service applicatif
|
||||
|
||||
|
177
doc/link.md
Normal file
177
doc/link.md
Normal file
|
@ -0,0 +1,177 @@
|
|||
# Configuration liée
|
||||
|
||||
Une configuration liée est un ensemble d'élément partagé entre deux serveurs différents.
|
||||
|
||||
## Lier un client à un serveur
|
||||
|
||||
```
|
||||
<check name="set_linked">
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="variable">service_variable</param>
|
||||
<target>service_variable_2</target>
|
||||
</check>
|
||||
```
|
||||
|
||||
## Lier un client à un serveur avec un nom d'utilisateur issu du nom de domaine
|
||||
|
||||
Il faut commencer de créer une variable côté serveur :
|
||||
|
||||
```
|
||||
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
|
||||
```
|
||||
|
||||
Le nom d'utilisateur sera ici le nom de domaine du serveur avec l'application de la fonction 'normalize_family'.
|
||||
|
||||
Pour lier deux configurations il faut créer deux variables côté client :
|
||||
|
||||
```
|
||||
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
|
||||
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
|
||||
```
|
||||
|
||||
Enfin il faut lier les deux configurations :
|
||||
|
||||
```
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="information">server_name</param>
|
||||
<target>service_remote_user</target>
|
||||
</fill>
|
||||
```
|
||||
|
||||
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
|
||||
En retour la variable "service_remote_user" aura comme valeur "normalize_family(service_server_address)".
|
||||
|
||||
## Lier un client unique à un serveur avec un nom d'utilisateur calculé sur le serveur
|
||||
|
||||
Il faut commencer de créer les variables côté serveur :
|
||||
|
||||
```
|
||||
<variables>
|
||||
<variable name="remote" description="The client" type="domainname" provider="client"/>
|
||||
<variable name="username" hidden="True" provider="client_name"/>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="gen_user_name">
|
||||
<target>username</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
```
|
||||
|
||||
Côté client :
|
||||
|
||||
```
|
||||
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
|
||||
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
|
||||
```
|
||||
|
||||
```
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="information">server_name</param>
|
||||
<param name="linked_returns">client_name</param>
|
||||
<target>service_remote_user</target>
|
||||
</fill>
|
||||
```
|
||||
|
||||
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera la variable "remote" du serveur.
|
||||
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
|
||||
|
||||
## Lier plusieurs clients à un serveur avec un nom d'utilisateur calculé sur le serveur
|
||||
|
||||
Il faut commencer de créer les variables côté serveur :
|
||||
|
||||
```
|
||||
<variables>
|
||||
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
|
||||
<family name="remote_" description="Compte pour " dynamic="remotes">
|
||||
<variable name="username_" hidden="True" provider="client_name"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="gen_user_name">
|
||||
<target>username_</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
```
|
||||
|
||||
Côté client :
|
||||
|
||||
```
|
||||
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
|
||||
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
|
||||
```
|
||||
|
||||
```
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="information">server_name</param>
|
||||
<param name="linked_returns">client_name</param>
|
||||
<param name="dynamic" type="information">server_name</param>
|
||||
<target>service_remote_user</target>
|
||||
</fill>
|
||||
```
|
||||
|
||||
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
|
||||
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
|
||||
|
||||
## Caculer une variable d'un client par rapport à la valeur d'un serveur
|
||||
|
||||
Il faut commencer de créer une nouvelle variables côté serveur par exemple dans une famille dynamique :
|
||||
|
||||
```
|
||||
<variables>
|
||||
<family name="remote_" description="Compte pour " dynamic="remotes">
|
||||
<variable name="password_" description="Password " auto_save="True" hidden="True" type="password" provider="client_password"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="gen_password">
|
||||
<target>password_</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
```
|
||||
|
||||
Côté client on veut récupérer ce mot de passe dans une variable :
|
||||
|
||||
```
|
||||
<variable name='service_remote_user_password' type='password' description="Remote password" mandatory='True' hidden="True"/>
|
||||
```
|
||||
|
||||
Et calculer cette valeur :
|
||||
|
||||
```
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="linked_provider">client_password</param>
|
||||
<param name="dynamic" type="variable">service_remote_user</param>
|
||||
<target>service_remote_user_password</target>
|
||||
</fill>
|
||||
```
|
||||
|
||||
## Propoger la valeur d'une variable d'un client vers un serveur
|
||||
|
||||
```
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="linked_provider">client_var</param>
|
||||
<param name="dynamic" type="variable">service_remote_user</param>
|
||||
<target>service_variable</target>
|
||||
</check>
|
||||
```
|
||||
|
||||
## Propoger la valeur d'une variable d'un client vers un variable esclave du serveur
|
||||
|
||||
```
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">service_server_address</param>
|
||||
<param name="leader_provider">client_var</param>
|
||||
<param name="leader_value" type="variable">service_variable</param>
|
||||
<param name="linked_provider">slave</param>
|
||||
<param name="dynamic" type="variable">service_server_address</param>
|
||||
<target>service_variable_2</target>
|
||||
</check>
|
||||
```
|
2
seed/applicationservice/2022.03.08/apache/FIXME
Normal file
2
seed/applicationservice/2022.03.08/apache/FIXME
Normal file
|
@ -0,0 +1,2 @@
|
|||
# ln -s /etc/httpd/conf.d/nextcloud-access.conf.avail /etc/httpd/conf.d/z-nextcloud-access.conf
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
format: '0.1'
|
||||
description: Apache configuration
|
||||
depends:
|
||||
- base-fedora-35
|
||||
- reverse-proxy-client
|
|
@ -0,0 +1,31 @@
|
|||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="httpd" target="multi-user">
|
||||
<file>/etc/httpd/conf/httpd.conf</file>
|
||||
<file>/etc/httpd/conf.d/risotto.conf</file>
|
||||
<file>/etc/httpd/conf.d/ssl.conf</file>
|
||||
<file>/etc/httpd/ssl/server.ca</file>
|
||||
<file>/etc/httpd/ssl/server.key</file>
|
||||
<file>/etc/httpd/ssl/server.crt</file>
|
||||
<file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
|
||||
<file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
|
||||
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
|
||||
<value>300</value>
|
||||
</variable>
|
||||
<variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
|
||||
<variable name="server_ca" hidden="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
|
||||
<param name="authority_name">ReverseProxy</param>
|
||||
<target>server_ca</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
360
seed/applicationservice/2022.03.08/apache/templates/httpd.conf
Normal file
360
seed/applicationservice/2022.03.08/apache/templates/httpd.conf
Normal file
|
@ -0,0 +1,360 @@
|
|||
#
|
||||
# This is the main Apache HTTP server configuration file. It contains the
|
||||
# configuration directives that give the server its instructions.
|
||||
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
|
||||
# In particular, see
|
||||
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
|
||||
# for a discussion of each configuration directive.
|
||||
#
|
||||
# See the httpd.conf(5) man page for more information on this configuration,
|
||||
# and httpd.service(8) on using and configuring the httpd service.
|
||||
#
|
||||
# Do NOT simply read the instructions in here without understanding
|
||||
# what they do. They're here only as hints or reminders. If you are unsure
|
||||
# consult the online docs. You have been warned.
|
||||
#
|
||||
# Configuration and logfile names: If the filenames you specify for many
|
||||
# of the server's control files begin with "/" (or "drive:/" for Win32), the
|
||||
# server will use that explicit path. If the filenames do *not* begin
|
||||
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
|
||||
# with ServerRoot set to '/www' will be interpreted by the
|
||||
# server as '/www/log/access_log', where as '/log/access_log' will be
|
||||
# interpreted as '/log/access_log'.
|
||||
|
||||
#
|
||||
# ServerRoot: The top of the directory tree under which the server's
|
||||
# configuration, error, and log files are kept.
|
||||
#
|
||||
# Do not add a slash at the end of the directory path. If you point
|
||||
# ServerRoot at a non-local disk, be sure to specify a local disk on the
|
||||
# Mutex directive, if file-based mutexes are used. If you wish to share the
|
||||
# same ServerRoot for multiple httpd daemons, you will need to change at
|
||||
# least PidFile.
|
||||
#
|
||||
ServerRoot "/etc/httpd"
|
||||
|
||||
#
|
||||
# Listen: Allows you to bind Apache to specific IP addresses and/or
|
||||
# ports, instead of the default. See also the <VirtualHost>
|
||||
# directive.
|
||||
#
|
||||
# Change this to Listen on a specific IP address, but note that if
|
||||
# httpd.service is enabled to run at boot time, the address may not be
|
||||
# available when the service starts. See the httpd.service(8) man
|
||||
# page for more information.
|
||||
#
|
||||
#Listen 12.34.56.78:80
|
||||
Listen 80
|
||||
|
||||
#
|
||||
# Dynamic Shared Object (DSO) Support
|
||||
#
|
||||
# To be able to use the functionality of a module which was built as a DSO you
|
||||
# have to place corresponding `LoadModule' lines at this location so the
|
||||
# directives contained in it are actually available _before_ they are used.
|
||||
# Statically compiled modules (those listed by `httpd -l') do not need
|
||||
# to be loaded here.
|
||||
#
|
||||
# Example:
|
||||
# LoadModule foo_module modules/mod_foo.so
|
||||
#
|
||||
Include conf.modules.d/*.conf
|
||||
|
||||
#
|
||||
# If you wish httpd to run as a different user or group, you must run
|
||||
# httpd as root initially and it will switch.
|
||||
#
|
||||
# User/Group: The name (or #number) of the user/group to run httpd as.
|
||||
# It is usually good practice to create a dedicated user and group for
|
||||
# running httpd, as with most system services.
|
||||
#
|
||||
User apache
|
||||
Group apache
|
||||
|
||||
# 'Main' server configuration
|
||||
#
|
||||
# The directives in this section set up the values used by the 'main'
|
||||
# server, which responds to any requests that aren't handled by a
|
||||
# <VirtualHost> definition. These values also provide defaults for
|
||||
# any <VirtualHost> containers you may define later in the file.
|
||||
#
|
||||
# All of these directives may appear inside <VirtualHost> containers,
|
||||
# in which case these default settings will be overridden for the
|
||||
# virtual host being defined.
|
||||
#
|
||||
|
||||
#
|
||||
# ServerAdmin: Your address, where problems with the server should be
|
||||
# e-mailed. This address appears on some server-generated pages, such
|
||||
# as error documents. e.g. admin@your-domain.com
|
||||
#
|
||||
ServerAdmin root@localhost
|
||||
|
||||
#
|
||||
# ServerName gives the name and port that the server uses to identify itself.
|
||||
# This can often be determined automatically, but we recommend you specify
|
||||
# it explicitly to prevent problems during startup.
|
||||
#
|
||||
# If your host doesn't have a registered DNS name, enter its IP address here.
|
||||
#
|
||||
#ServerName www.example.com:80
|
||||
|
||||
#
|
||||
# Deny access to the entirety of your server's filesystem. You must
|
||||
# explicitly permit access to web content directories in other
|
||||
# <Directory> blocks below.
|
||||
#
|
||||
<Directory />
|
||||
AllowOverride none
|
||||
Require all denied
|
||||
</Directory>
|
||||
|
||||
#
|
||||
# Note that from this point forward you must specifically allow
|
||||
# particular features to be enabled - so if something's not working as
|
||||
# you might expect, make sure that you have specifically enabled it
|
||||
# below.
|
||||
#
|
||||
|
||||
#
|
||||
# DocumentRoot: The directory out of which you will serve your
|
||||
# documents. By default, all requests are taken from this directory, but
|
||||
# symbolic links and aliases may be used to point to other locations.
|
||||
#
|
||||
DocumentRoot "/var/www/html"
|
||||
|
||||
#
|
||||
# Relax access to content within /var/www.
|
||||
#
|
||||
<Directory "/var/www">
|
||||
AllowOverride None
|
||||
# Allow open access:
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
# Further relax access to the default document root:
|
||||
<Directory "/var/www/html">
|
||||
#
|
||||
# Possible values for the Options directive are "None", "All",
|
||||
# or any combination of:
|
||||
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
|
||||
#
|
||||
# Note that "MultiViews" must be named *explicitly* --- "Options All"
|
||||
# doesn't give it to you.
|
||||
#
|
||||
# The Options directive is both complicated and important. Please see
|
||||
# http://httpd.apache.org/docs/2.4/mod/core.html#options
|
||||
# for more information.
|
||||
#
|
||||
Options Indexes FollowSymLinks
|
||||
|
||||
#
|
||||
# AllowOverride controls what directives may be placed in .htaccess files.
|
||||
# It can be "All", "None", or any combination of the keywords:
|
||||
# Options FileInfo AuthConfig Limit
|
||||
#
|
||||
AllowOverride None
|
||||
|
||||
#
|
||||
# Controls who can get stuff from this server.
|
||||
#
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
#
|
||||
# DirectoryIndex: sets the file that Apache will serve if a directory
|
||||
# is requested.
|
||||
#
|
||||
<IfModule dir_module>
|
||||
DirectoryIndex index.html
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# The following lines prevent .htaccess and .htpasswd files from being
|
||||
# viewed by Web clients.
|
||||
#
|
||||
<Files ".ht*">
|
||||
Require all denied
|
||||
</Files>
|
||||
|
||||
#
|
||||
# ErrorLog: The location of the error log file.
|
||||
# If you do not specify an ErrorLog directive within a <VirtualHost>
|
||||
# container, error messages relating to that virtual host will be
|
||||
# logged here. If you *do* define an error logfile for a <VirtualHost>
|
||||
# container, that host's errors will be logged there and not here.
|
||||
#
|
||||
# GNUNUX ErrorLog "logs/error_log"
|
||||
ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
|
||||
|
||||
#
|
||||
# LogLevel: Control the number of messages logged to the error_log.
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
#
|
||||
LogLevel warn
|
||||
|
||||
<IfModule log_config_module>
|
||||
#
|
||||
# The following directives define some format nicknames for use with
|
||||
# a CustomLog directive (see below).
|
||||
#
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
||||
|
||||
<IfModule logio_module>
|
||||
# You need to enable mod_logio.c to use %I and %O
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# The location and format of the access logfile (Common Logfile Format).
|
||||
# If you do not define any access logfiles within a <VirtualHost>
|
||||
# container, they will be logged here. Contrariwise, if you *do*
|
||||
# define per-<VirtualHost> access logfiles, transactions will be
|
||||
# logged therein and *not* in this file.
|
||||
#
|
||||
#CustomLog "logs/access_log" common
|
||||
|
||||
#
|
||||
# If you prefer a logfile with access, agent, and referer information
|
||||
# (Combined Logfile Format) you can use the following directive.
|
||||
#
|
||||
# GNUNUX CustomLog "logs/access_log" combined
|
||||
CustomLog "|/usr/bin/systemd-cat -t httpd" combined
|
||||
</IfModule>
|
||||
|
||||
<IfModule alias_module>
|
||||
#
|
||||
# Redirect: Allows you to tell clients about documents that used to
|
||||
# exist in your server's namespace, but do not anymore. The client
|
||||
# will make a new request for the document at its new location.
|
||||
# Example:
|
||||
# Redirect permanent /foo http://www.example.com/bar
|
||||
|
||||
#
|
||||
# Alias: Maps web paths into filesystem paths and is used to
|
||||
# access content that does not live under the DocumentRoot.
|
||||
# Example:
|
||||
# Alias /webpath /full/filesystem/path
|
||||
#
|
||||
# If you include a trailing / on /webpath then the server will
|
||||
# require it to be present in the URL. You will also likely
|
||||
# need to provide a <Directory> section to allow access to
|
||||
# the filesystem path.
|
||||
|
||||
#
|
||||
# ScriptAlias: This controls which directories contain server scripts.
|
||||
# ScriptAliases are essentially the same as Aliases, except that
|
||||
# documents in the target directory are treated as applications and
|
||||
# run by the server when requested rather than as documents sent to the
|
||||
# client. The same rules about trailing "/" apply to ScriptAlias
|
||||
# directives as to Alias.
|
||||
#
|
||||
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
|
||||
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
|
||||
# CGI directory exists, if you have that configured.
|
||||
#
|
||||
<Directory "/var/www/cgi-bin">
|
||||
AllowOverride None
|
||||
Options None
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
<IfModule mime_module>
|
||||
#
|
||||
# TypesConfig points to the file containing the list of mappings from
|
||||
# filename extension to MIME-type.
|
||||
#
|
||||
TypesConfig /etc/mime.types
|
||||
|
||||
#
|
||||
# AddType allows you to add to or override the MIME configuration
|
||||
# file specified in TypesConfig for specific file types.
|
||||
#
|
||||
#AddType application/x-gzip .tgz
|
||||
#
|
||||
# AddEncoding allows you to have certain browsers uncompress
|
||||
# information on the fly. Note: Not all browsers support this.
|
||||
#
|
||||
#AddEncoding x-compress .Z
|
||||
#AddEncoding x-gzip .gz .tgz
|
||||
#
|
||||
# If the AddEncoding directives above are commented-out, then you
|
||||
# probably should define those extensions to indicate media types:
|
||||
#
|
||||
AddType application/x-compress .Z
|
||||
AddType application/x-gzip .gz .tgz
|
||||
|
||||
#
|
||||
# AddHandler allows you to map certain file extensions to "handlers":
|
||||
# actions unrelated to filetype. These can be either built into the server
|
||||
# or added with the Action directive (see below)
|
||||
#
|
||||
# To use CGI scripts outside of ScriptAliased directories:
|
||||
# (You will also need to add "ExecCGI" to the "Options" directive.)
|
||||
#
|
||||
#AddHandler cgi-script .cgi
|
||||
|
||||
# For type maps (negotiated resources):
|
||||
#AddHandler type-map var
|
||||
|
||||
#
|
||||
# Filters allow you to process content before it is sent to the client.
|
||||
#
|
||||
# To parse .shtml files for server-side includes (SSI):
|
||||
# (You will also need to add "Includes" to the "Options" directive.)
|
||||
#
|
||||
AddType text/html .shtml
|
||||
AddOutputFilter INCLUDES .shtml
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# Specify a default charset for all content served; this enables
|
||||
# interpretation of all content as UTF-8 by default. To use the
|
||||
# default browser choice (ISO-8859-1), or to allow the META tags
|
||||
# in HTML content to override this choice, comment out this
|
||||
# directive:
|
||||
#
|
||||
AddDefaultCharset UTF-8
|
||||
|
||||
<IfModule mime_magic_module>
|
||||
#
|
||||
# The mod_mime_magic module allows the server to use various hints from the
|
||||
# contents of the file itself to determine its type. The MIMEMagicFile
|
||||
# directive tells the module where the hint definitions are located.
|
||||
#
|
||||
MIMEMagicFile conf/magic
|
||||
</IfModule>
|
||||
|
||||
#
|
||||
# Customizable error responses come in three flavors:
|
||||
# 1) plain text 2) local redirects 3) external redirects
|
||||
#
|
||||
# Some examples:
|
||||
#ErrorDocument 500 "The server made a boo boo."
|
||||
#ErrorDocument 404 /missing.html
|
||||
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
|
||||
#ErrorDocument 402 http://www.example.com/subscription_info.html
|
||||
#
|
||||
|
||||
#
|
||||
# EnableMMAP and EnableSendfile: On systems that support it,
|
||||
# memory-mapping or the sendfile syscall may be used to deliver
|
||||
# files. This usually improves server performance, but must
|
||||
# be turned off when serving from networked-mounted
|
||||
# filesystems or if support for these functions is otherwise
|
||||
# broken on your system.
|
||||
# Defaults if commented: EnableMMAP On, EnableSendfile Off
|
||||
#
|
||||
#EnableMMAP off
|
||||
EnableSendfile on
|
||||
|
||||
# Supplemental configuration
|
||||
#
|
||||
# Load config files in the "/etc/httpd/conf.d" directory, if any.
|
||||
IncludeOptional conf.d/*.conf
|
|
@ -0,0 +1,15 @@
|
|||
# Timeout
|
||||
Timeout %%apache_timeout
|
||||
|
||||
# Keepalive
|
||||
%if %%apache_keepalive
|
||||
KeepAlive On
|
||||
%else
|
||||
KeepAlive Off
|
||||
%end if
|
||||
MaxKeepAliveRequests 50
|
||||
KeepAliveTimeout %%apache_timeout
|
||||
|
||||
# RemoteIp
|
||||
RemoteIPHeader X-Forwarded-For
|
||||
RemoteIPInternalProxy %%revprox_client_server_ip
|
|
@ -0,0 +1 @@
|
|||
%%server_ca
|
|
@ -0,0 +1 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
|
|
@ -0,0 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
|
226
seed/applicationservice/2022.03.08/apache/templates/ssl.conf
Normal file
226
seed/applicationservice/2022.03.08/apache/templates/ssl.conf
Normal file
|
@ -0,0 +1,226 @@
|
|||
#
|
||||
# When we also provide SSL we have to listen to the
|
||||
# standard HTTPS port in addition.
|
||||
#
|
||||
Listen 443 https
|
||||
|
||||
##
|
||||
## SSL Global Context
|
||||
##
|
||||
## All SSL configuration in this context applies both to
|
||||
## the main server and all SSL-enabled virtual hosts.
|
||||
##
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the
|
||||
# SSL library. The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. This means you then cannot use the /dev/random device
|
||||
# because it would lead to very long connection times (as long as
|
||||
# it requires to make more entropy available). But usually those
|
||||
# platforms additionally provide a /dev/urandom device which doesn't
|
||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||
# Manual for more details.
|
||||
SSLRandomSeed startup file:/dev/urandom 256
|
||||
SSLRandomSeed connect builtin
|
||||
#SSLRandomSeed startup file:/dev/random 512
|
||||
#SSLRandomSeed connect file:/dev/random 512
|
||||
#SSLRandomSeed connect file:/dev/urandom 512
|
||||
|
||||
#
|
||||
# Use "SSLCryptoDevice" to enable any supported hardware
|
||||
# accelerators. Use "openssl engine -v" to list supported
|
||||
# engine names. NOTE: If you enable an accelerator and the
|
||||
# server does not start, consult the error logs and ensure
|
||||
# your accelerator is functioning properly.
|
||||
#
|
||||
SSLCryptoDevice builtin
|
||||
#SSLCryptoDevice ubsec
|
||||
|
||||
##
|
||||
## SSL Virtual Host Context
|
||||
##
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
|
||||
# General setup for the virtual host, inherited from global configuration
|
||||
#DocumentRoot "/var/www/html"
|
||||
#ServerName www.example.com:443
|
||||
|
||||
# Use separate log files for the SSL virtual host; note that LogLevel
|
||||
# is not inherited from httpd.conf.
|
||||
# GNUNUX ErrorLog logs/ssl_error_log
|
||||
ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
|
||||
# GNUNUX TransferLog logs/ssl_access_log
|
||||
LogLevel warn
|
||||
|
||||
# SSL Engine Switch:
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
SSLEngine on
|
||||
|
||||
# List the protocol versions which clients are allowed to connect with.
|
||||
# The OpenSSL system profile is configured by default. See
|
||||
# update-crypto-policies(8) for more details.
|
||||
#SSLProtocol all -SSLv3
|
||||
#SSLProxyProtocol all -SSLv3
|
||||
|
||||
# User agents such as web browsers are not configured for the user's
|
||||
# own preference of either security or performance, therefore this
|
||||
# must be the prerogative of the web server administrator who manages
|
||||
# cpu load versus confidentiality, so enforce the server's cipher order.
|
||||
SSLHonorCipherOrder on
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_ssl documentation for a complete list.
|
||||
# The OpenSSL system profile is configured by default. See
|
||||
# update-crypto-policies(8) for more details.
|
||||
SSLCipherSuite PROFILE=SYSTEM
|
||||
SSLProxyCipherSuite PROFILE=SYSTEM
|
||||
|
||||
# Point SSLCertificateFile at a PEM encoded certificate. If
|
||||
# the certificate is encrypted, then you will be prompted for a
|
||||
# pass phrase. Note that restarting httpd will prompt again. Keep
|
||||
# in mind that if you have both an RSA and a DSA certificate you
|
||||
# can configure both in parallel (to also allow the use of DSA
|
||||
# ciphers, etc.)
|
||||
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
|
||||
# require an ECC certificate which can also be configured in
|
||||
# parallel.
|
||||
# GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
||||
SSLCertificateFile /etc/httpd/ssl/server.crt
|
||||
|
||||
# Server Private Key:
|
||||
# If the key is not combined with the certificate, use this
|
||||
# directive to point at the key file. Keep in mind that if
|
||||
# you've both a RSA and a DSA private key you can configure
|
||||
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
||||
# ECC keys, when in use, can also be configured in parallel
|
||||
# GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
||||
SSLCertificateKeyFile /etc/httpd/ssl/server.key
|
||||
|
||||
# Server Certificate Chain:
|
||||
# Point SSLCertificateChainFile at a file containing the
|
||||
# concatenation of PEM encoded CA certificates which form the
|
||||
# certificate chain for the server certificate. Alternatively
|
||||
# the referenced file can be the same as SSLCertificateFile
|
||||
# when the CA certificates are directly appended to the server
|
||||
# certificate for convenience.
|
||||
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
|
||||
|
||||
# Certificate Authority (CA):
|
||||
# Set the CA certificate verification path where to find CA
|
||||
# certificates for client authentication or alternatively one
|
||||
# huge file containing all of them (file must be PEM encoded)
|
||||
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
|
||||
#>GNUNUX
|
||||
SSLCACertificateFile /etc/httpd/ssl/server.ca
|
||||
#<GNUNUX
|
||||
|
||||
# Client Authentication (Type):
|
||||
# Client certificate verification type and depth. Types are
|
||||
# none, optional, require and optional_no_ca. Depth is a
|
||||
# number which specifies how deeply to verify the certificate
|
||||
# issuer chain before deciding the certificate is not valid.
|
||||
#SSLVerifyClient require
|
||||
#SSLVerifyDepth 10
|
||||
|
||||
# Access Control:
|
||||
# With SSLRequire you can do per-directory access control based
|
||||
# on arbitrary complex boolean expressions containing server
|
||||
# variable checks and other lookup directives. The syntax is a
|
||||
# mixture between C and Perl. See the mod_ssl documentation
|
||||
# for more details.
|
||||
#<Location />
|
||||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||
#</Location>
|
||||
|
||||
# SSL Engine Options:
|
||||
# Set various options for the SSL engine.
|
||||
# o FakeBasicAuth:
|
||||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||
# user name is the `one line' version of the client's X.509 certificate.
|
||||
# Note that no password is obtained from the user. Every entry in the user
|
||||
# file needs this password: `xxj31ZMTZzkVA'.
|
||||
# o ExportCertData:
|
||||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||
# server (always existing) and the client (only existing when client
|
||||
# authentication is used). This can be used to import the certificates
|
||||
# into CGI scripts.
|
||||
# o StdEnvVars:
|
||||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||
# Per default this exportation is switched off for performance reasons,
|
||||
# because the extraction step is an expensive operation and is usually
|
||||
# useless for serving static content. So one usually enables the
|
||||
# exportation for CGI and SSI requests only.
|
||||
# o StrictRequire:
|
||||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||
# and no other module can change it.
|
||||
# o OptRenegotiate:
|
||||
# This enables optimized SSL connection renegotiation handling when SSL
|
||||
# directives are used in per-directory context.
|
||||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory "/var/www/cgi-bin">
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
# SSL Protocol Adjustments:
|
||||
# The safe and default but still SSL/TLS standard compliant shutdown
|
||||
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
||||
# the close notify alert from client. When you need a different shutdown
|
||||
# approach you can use one of the following variables:
|
||||
# o ssl-unclean-shutdown:
|
||||
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||||
# SSL close notify alert is sent or allowed to be received. This violates
|
||||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||||
# this when you receive I/O errors because of the standard approach where
|
||||
# mod_ssl sends the close notify alert.
|
||||
# o ssl-accurate-shutdown:
|
||||
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||||
# SSL close notify alert is sent and mod_ssl waits for the close notify
|
||||
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||||
# practice often causes hanging connections with brain-dead browsers. Use
|
||||
# this only for browsers where you know that their SSL implementation
|
||||
# works correctly.
|
||||
# Notice: Most problems of broken clients are also related to the HTTP
|
||||
# keep-alive facility, so you usually additionally want to disable
|
||||
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
||||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
||||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||||
# "force-response-1.0" for this.
|
||||
BrowserMatch "MSIE [2-5]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
|
||||
# Per-Server Logging:
|
||||
# The home of a custom SSL log file. Use this when you want a
|
||||
# compact non-error SSL logfile on a virtual host basis.
|
||||
# GNUNUX CustomLog logs/ssl_request_log \
|
||||
# GNUNUX "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||
CustomLog "|/usr/bin/systemd-cat -t httpd" combined
|
||||
|
||||
</VirtualHost>
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
g apache 48 -
|
||||
u apache 48:48 "Apache" /usr/share/httpd /sbin/nologin
|
|
@ -0,0 +1,2 @@
|
|||
d /var/www/html 750 root apache - -
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
format: '0.1'
|
||||
description: Information de base d'un serveur Debian Buster
|
||||
depends:
|
||||
- base-debian
|
|
@ -0,0 +1,15 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="dnssec" manage="False">
|
||||
<file>/etc/dnssec-trust-anchors.d/local.negative</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_version" type="string" description="OS Version" hidden="True">
|
||||
<value>bullseye</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1 @@
|
|||
RELEASEVER=bullseye
|
|
@ -0,0 +1,2 @@
|
|||
%set %%domain=%%domain_name_eth0.split('.', 1)[1]
|
||||
%%domain
|
|
@ -0,0 +1,5 @@
|
|||
format: '0.1'
|
||||
description: Information de base d'un serveur Debian
|
||||
depends:
|
||||
- base
|
||||
- systemd
|
|
@ -0,0 +1,26 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="debian" manage="False">
|
||||
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
|
||||
<file engine="none">/etc/default/locale</file>
|
||||
</service>
|
||||
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_name" type="string" description="OS name" hidden="True">
|
||||
<value>Debian</value>
|
||||
</variable>
|
||||
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
|
||||
<value>/etc/ssl-localca</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
|
||||
<value>/etc/ssl/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
|
||||
<value>/etc/ssl/private</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,2 @@
|
|||
rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
|
||||
ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
|
|
@ -0,0 +1,3 @@
|
|||
BASE_PKG="dbus,udev,systemd,bash,lsof,strace,apt-listchanges"
|
||||
INSTALL_TOOL="apt"
|
||||
OS_NAME="debian"
|
|
@ -0,0 +1 @@
|
|||
LANG="fr_FR.UTF-8"
|
|
@ -0,0 +1 @@
|
|||
q /var/tmp 1777 root root 30d
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Update CA Certificates
|
||||
Before=network-pre.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
1
seed/applicationservice/2022.03.08/base-fedora/README.md
Normal file
1
seed/applicationservice/2022.03.08/base-fedora/README.md
Normal file
|
@ -0,0 +1 @@
|
|||
Inspired by: https://pagure.io/fedora-kickstarts/tree/main
|
|
@ -0,0 +1,5 @@
|
|||
format: '0.1'
|
||||
description: Information de base d'un serveur Fedora
|
||||
depends:
|
||||
- base
|
||||
- systemd
|
|
@ -0,0 +1,25 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="update-ca-trust" engine="creole" target="multi-user"/>
|
||||
<service name="fedora-base" manage="False">
|
||||
<file engine="none">/tmpfiles.d/fedora.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_name" type="string" description="OS name" hidden="True">
|
||||
<value>Fedora</value>
|
||||
</variable>
|
||||
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
|
||||
<value>/etc/pki/ca-trust/source/anchors</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
|
||||
<value>/etc/pki/tls/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
|
||||
<value>/etc/pki/tls/private</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,4 @@
|
|||
BASE_PKG="systemd systemd-networkd systemd-resolved fedora-release-container lsof strace"
|
||||
INSTALL_TOOL="dnf"
|
||||
OS_NAME='fedora'
|
||||
REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/yum.repos.d/"
|
11
seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors
Executable file
11
seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors
Executable file
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
echo "Preprocessors"
|
||||
|
||||
if [ ! -z $https_proxy ]; then
|
||||
echo "echo 'export https_proxy=$https_proxy' > /tmp/proxy.sh" > scripts/00-proxy
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,63 @@
|
|||
{
|
||||
"builders": [
|
||||
{
|
||||
"format": "qcow2",
|
||||
"headless": true,
|
||||
"output_directory": "{{user `tmp_directory`}}/output",
|
||||
"shutdown_command": "echo packer | sudo -S shutdown -P now",
|
||||
"ssh_password": "qemubuild",
|
||||
"ssh_username": "qemubuild",
|
||||
"ssh_wait_timeout": "120m",
|
||||
"type": "qemu",
|
||||
"disk_interface": "virtio",
|
||||
"vm_name": "image.img",
|
||||
"qemuargs": [
|
||||
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
|
||||
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
|
||||
],
|
||||
"memory": "2048",
|
||||
"vnc_bind_address": "0.0.0.0",
|
||||
"disk_image": true,
|
||||
"iso_checksum": "{{user `iso_checksum` }}",
|
||||
"iso_url": "{{user `iso_url` }}",
|
||||
"iso_checksum_type": "sha256"
|
||||
}
|
||||
],
|
||||
"provisioners": [
|
||||
{
|
||||
"type": "file",
|
||||
"source": "{{user `tmp_directory`}}/scripts",
|
||||
"destination": "/tmp/scripts"
|
||||
},
|
||||
{
|
||||
"type": "shell",
|
||||
"inline": [
|
||||
"sudo chown root: /tmp/scripts/*",
|
||||
"sudo chmod +x /tmp/scripts/*",
|
||||
"sudo risotto-run-parts /tmp/scripts/"
|
||||
]
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
{
|
||||
"type": "shell-local",
|
||||
"inline": [
|
||||
"sleep 5",
|
||||
"mkdir -p {{user `tmp_directory`}}/tmp",
|
||||
"echo 'Syst Prep'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
|
||||
"echo 'Sparsify before shink'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
|
||||
"echo 'Shink'",
|
||||
"guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
|
||||
"truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16012}')K {{user `tmp_directory`}}/output/shrink.img",
|
||||
"virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
|
||||
"echo 'Sparsify and convert to qcow2'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
|
||||
"echo 'SHASUM'",
|
||||
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
|
||||
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
{
|
||||
"builders": [
|
||||
{
|
||||
"format": "qcow2",
|
||||
"headless": true,
|
||||
"output_directory": "{{user `tmp_directory`}}/output",
|
||||
"shutdown_command": "echo packer | sudo -S shutdown -P now",
|
||||
"ssh_password": "qemubuild",
|
||||
"ssh_username": "qemubuild",
|
||||
"ssh_wait_timeout": "120m",
|
||||
"type": "qemu",
|
||||
"disk_interface": "virtio",
|
||||
"vm_name": "image.img",
|
||||
"qemuargs": [
|
||||
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
|
||||
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
|
||||
],
|
||||
"memory": "2048",
|
||||
"vnc_bind_address": "0.0.0.0",
|
||||
"disk_image": true,
|
||||
"iso_checksum": "{{user `iso_checksum` }}",
|
||||
"iso_url": "{{user `iso_url` }}",
|
||||
"iso_checksum_type": "sha256"
|
||||
}
|
||||
],
|
||||
"provisioners": [
|
||||
{
|
||||
"type": "file",
|
||||
"source": "{{user `tmp_directory`}}/scripts",
|
||||
"destination": "/tmp/scripts"
|
||||
},
|
||||
{
|
||||
"type": "shell",
|
||||
"inline": [
|
||||
"sudo chown root: /tmp/scripts/*",
|
||||
"sudo chmod +x /tmp/scripts/*",
|
||||
"sudo risotto-run-parts /tmp/scripts/"
|
||||
]
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
{
|
||||
"type": "shell-local",
|
||||
"inline": [
|
||||
"sleep 5",
|
||||
"mkdir -p {{user `tmp_directory`}}/tmp",
|
||||
"echo 'Syst Prep'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
|
||||
"echo 'Sparsify before shink'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
|
||||
"echo 'Shink'",
|
||||
"guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
|
||||
"truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16384}')K {{user `tmp_directory`}}/output/shrink.img",
|
||||
"virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
|
||||
"echo 'Sparsify and convert to qcow2'",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
|
||||
"echo 'SHASUM'",
|
||||
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
|
||||
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
[ -e /tmp/proxy.sh ] && . /tmp/proxy.sh
|
||||
microdnf update
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
set -xe
|
||||
|
||||
microdnf clean all
|
||||
for package in microdnf libdnf libpeas libstdc++ gobject-introspection libsolv librepo libmodulemd file-libs zchunk-libs libyaml gpgme gnupg2 libassuan libksba libusbx npth; do
|
||||
rpm -e $package || true
|
||||
done
|
||||
rm -rf /var/lib/dnf
|
||||
exit 0
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
set -xe
|
||||
|
||||
rpm -qa | sort > /tmp/rpm.txt
|
||||
# try to remove this packages
|
||||
PKG=" rpm rpm-libs curl libcurl lua-libs libarchive sqlite-libs libnghttp2 libssh libbrotli libpsl publicsuffix-list-dafsa libxml2 libssh-config elfutils-libs dbus-broker "
|
||||
# exclude package
|
||||
PKG2=""
|
||||
while read -r a; do
|
||||
pkg="$(echo "$a" | awk '{ print $1 }' | awk -F'(' '{ print $1 }')"
|
||||
[ -n "$PKG2" ] && PKG2="$PKG2\n"
|
||||
PKG2="$PKG2$pkg"
|
||||
done <<< "$( rpm --test -ev $PKG 2>&1 | grep -v ^'erreur' )"
|
||||
|
||||
while read -r b; do
|
||||
pkg=$(rpm -q $b --quiet && echo $b || rpm -qf $(find / -name $b -print -quit) --query --queryformat "%{NAME}\n";)
|
||||
echo "Ne pas désinstaller $pkg"
|
||||
PKG=${PKG// $pkg / }
|
||||
done <<< "$(echo -e $PKG2 | sort -u)"
|
||||
|
||||
echo "Suppression de $PKG"
|
||||
rpm -e $PKG
|
||||
|
||||
echo "Remove rpm database"
|
||||
rm -rf /var/lib/rpm/*
|
||||
rm -rf /usr/lib/rpm
|
||||
mv /tmp/rpm.txt /var/lib/rpm/rpm.txt
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
rm -rf /etc/X11 /etc/firewalld /etc/pki/rpm-gpg /etc/yum.repos.d /etc/dconf
|
||||
make_volatile /etc
|
||||
#
|
||||
make_volatile /var/lib/rpm
|
||||
|
||||
sed -i 's/ ro$/ ro systemd.volatile=yes selinux=1 net.ifnames=0/g' /boot/efi/loader/entries/fedora.conf
|
||||
exit 0
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
|
||||
find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
|
||||
find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
|
||||
find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
|
||||
rm -rf /usr/share/bash-completion
|
||||
rm -rf /usr/share/pkgconfig
|
||||
rm -rf /usr/share/licenses/
|
||||
rm -rf /usr/share/zsh
|
||||
rm -rf /usr/lib/.build-id
|
||||
rm -rf /usr/lib/debug
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
rm -rf /var/cache/* /var/log/*
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
KERNELVERSION=$(ls /lib/modules)
|
||||
if [ -f "/boot/efi/$KERNELVERSION/initrd.cdrom" ]; then
|
||||
mv "/boot/efi/$KERNELVERSION/initrd.cdrom" "/boot/efi/$KERNELVERSION/initrd"
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -ex
|
||||
#
|
||||
#duperemove -rd /
|
||||
#
|
||||
#for size in 1000000000 100000000 10000000 1000000 100000 10000 1000 100 10 1; do
|
||||
# echo "========================= $size ========================="
|
||||
# while btrfs filesystem resize -$size /; do :; done
|
||||
#done
|
||||
exit 0
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
DESTDIR='/usr/lib/tmpfiles.d'
|
||||
CONF_DST='/usr/share/factory'
|
||||
EXCLUDES="^(/etc/passwd|/etc/group|/etc/.updated|/etc/.pwd.lock|/etc/pam.d|/etc/systemd/network/dhcp.network|/etc/sudoers.d/qemubuild)$"
|
||||
ONLY_COPY="^(/etc/localtime)$"
|
||||
FORCE_LINKS="^(/etc/udev/hwdb.bin)$"
|
||||
|
||||
function file_dir_in_tmpfiles() {
|
||||
letter=$1
|
||||
directory=$2
|
||||
mode=$(stat --format "%a" "$directory")
|
||||
user=$(stat --format "%U" "$directory")
|
||||
group=$(stat --format "%G" "$directory")
|
||||
echo "$letter $directory $mode $user $group - -"
|
||||
}
|
||||
|
||||
function calc_symlink_in_tmpfiles() {
|
||||
dest_name=$1
|
||||
src_file=$(readlink "$dest_name")
|
||||
symlink_in_tmpfiles "$dest_name" "$src_file"
|
||||
}
|
||||
|
||||
function symlink_in_tmpfiles() {
|
||||
dest_name=$1
|
||||
src_file=$2
|
||||
echo "L+ $dest_name - - - - $src_file"
|
||||
}
|
||||
|
||||
function main() {
|
||||
dir_config_orig=$1
|
||||
|
||||
mkdir -p "$DESTDIR"
|
||||
mkdir -p "$CONF_DST$dir_config_orig"
|
||||
name="${dir_config_orig//\//-}"
|
||||
systemd_conf="$DESTDIR/risotto$name.conf"
|
||||
echo "" > $systemd_conf
|
||||
while IFS= read -r -d '' src_file; do
|
||||
dest_file="$CONF_DST$src_file"
|
||||
echo $src_file
|
||||
if [[ "$src_file" =~ $EXCLUDES ]]; then
|
||||
echo "$src_file: exclude" >&2
|
||||
elif [[ -L "$src_file" ]]; then
|
||||
calc_symlink_in_tmpfiles "$src_file" >> $systemd_conf
|
||||
elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
|
||||
symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
|
||||
elif [[ -d "$src_file" ]]; then
|
||||
file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
|
||||
[[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
|
||||
#echo "$src_file: directory ok"
|
||||
else
|
||||
if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
|
||||
file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
|
||||
fi
|
||||
[[ -e "$dest_file" ]] && rm -f "$dest_file"
|
||||
# not a symlink... an hardlink
|
||||
ln "$src_file" "$dest_file"
|
||||
#echo "$src_file: file ok"
|
||||
fi
|
||||
done < <(find "$dir_config_orig" -print0)
|
||||
}
|
||||
main "$1"
|
||||
exit 0
|
|
@ -0,0 +1,24 @@
|
|||
#!/usr/bin/bash
|
||||
# run-parts - concept taken from Debian
|
||||
|
||||
set +xe
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "Usage: risotto-run-parts <dir>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
echo "Not a directory: $1"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Ignore *~ and *, scripts
|
||||
for i in $(LC_ALL=C; echo ${1%/}/*[^~,]) ; do
|
||||
[ -d $i ] && continue
|
||||
[ ! -x $i ] && continue
|
||||
echo "execute $i"
|
||||
$i 2>&1
|
||||
done
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,169 @@
|
|||
# Keyboard layouts
|
||||
keyboard --xlayouts='fr (oss)'
|
||||
# System language
|
||||
lang fr_FR.UTF-8
|
||||
# Required settings
|
||||
rootpw qemubuild
|
||||
user --name=qemubuild --password=qemubuild --groups=wheel
|
||||
authconfig --enableshadow --enablemd5
|
||||
|
||||
# System timezone
|
||||
timezone Europe/Paris --utc
|
||||
repo --name=fedora --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
|
||||
repo --name=updates --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch
|
||||
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-\$releasever&arch=\$basearch%%EXTRA_URL%%
|
||||
|
||||
# Optional settings
|
||||
#bootloader --location=mbr
|
||||
bootloader --disabled
|
||||
clearpart --all --initlabel
|
||||
firstboot --enable
|
||||
#install
|
||||
network --bootproto=dhcp
|
||||
reboot
|
||||
selinux --enforcing
|
||||
#services --enabled=sshd,zram-swap,systemd-networkd,systemd-resolved
|
||||
services --enabled=sshd --disabled=systemd-vconsole-setup
|
||||
skipx
|
||||
text
|
||||
zerombr
|
||||
|
||||
# Disk partition
|
||||
part / --fstype="ext2" --ondisk=vda --grow
|
||||
# btrfs : part btrfs.50 --fstype="btrfs" --ondisk=vda --grow
|
||||
part /boot/efi --fstype="efi" --ondisk=vda --size=30 --fsoptions="umask=0077,shortname=winnt"
|
||||
|
||||
#btrfs none --label=fedora_fedora btrfs.50
|
||||
#btrfs / --subvol --name=root LABEL=fedora_fedora
|
||||
|
||||
# Packages
|
||||
%packages --excludedocs --instLangs=fr --nocore --exclude-weakdeps
|
||||
#@core --nodefaults
|
||||
audit
|
||||
bash
|
||||
coreutils
|
||||
#dracut-config-generic
|
||||
# btrfs duperemove
|
||||
#glibc-langpack-fr
|
||||
kbd
|
||||
kernel-core
|
||||
microdnf
|
||||
openssh-server
|
||||
openssh-clients
|
||||
qemu-guest-agent
|
||||
systemd-networkd
|
||||
#rpm
|
||||
#shadow-utils
|
||||
screen
|
||||
sudo
|
||||
systemd
|
||||
#util-linux
|
||||
-zram
|
||||
#
|
||||
-kernel
|
||||
%end
|
||||
|
||||
# Post
|
||||
%post
|
||||
|
||||
# for microdnf
|
||||
touch /etc/dnf/dnf.conf
|
||||
|
||||
# add qemubuild to sudo
|
||||
echo "qemubuild ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/qemubuild
|
||||
|
||||
# remove unecessary directories
|
||||
rm -rf /usr/share/doc
|
||||
rm -rf /usr/share/licenses
|
||||
#rm -rfv /usr/share/icons/*
|
||||
# remove some random help txt files
|
||||
rm -fv /usr/share/gnupg/help*.txt
|
||||
# Pruning random things
|
||||
rm usr/lib/rpm/rpm.daily
|
||||
#some random not-that-useful binaries
|
||||
rm -fv /usr/bin/pinky
|
||||
|
||||
# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
|
||||
localzone=$(readlink /etc/localtime)
|
||||
mv $localzone /tmp
|
||||
rm -rfv /usr/share/zoneinfo
|
||||
mkdir -p $(dirname $localzone)
|
||||
mv /tmp/$(basename $localzone) $localzone
|
||||
|
||||
# configure systemd-networkd
|
||||
echo """[Match]
|
||||
Name=*
|
||||
|
||||
[Network]
|
||||
DHCP=yes""" > /etc/systemd/network/dhcp.network
|
||||
SYSTEMDDIR=/usr/lib/systemd/system
|
||||
MULTI=$SYSTEMDDIR/multi-user.target.wants
|
||||
ln -sf ../systemd-networkd.service $MULTI/systemd-networkd.service
|
||||
ln -sf ../systemd-resolved.service $MULTI/systemd-resolved.service
|
||||
|
||||
# initramfs have to mount iso9660 partition
|
||||
# install bootload
|
||||
SYSDISK="/dev/vda2"
|
||||
MACHINEID=`cat /etc/machine-id`
|
||||
KERNELVERSION=`ls /lib/modules`
|
||||
DISK=`lsblk -n $SYSDISK -o uuid`
|
||||
mkdir /boot/$MACHINEID
|
||||
# btrfs : echo "root=UUID=$DISK ro rootflags=subvol=root" > /etc/kernel/cmdline
|
||||
echo "root=UUID=$DISK ro" > /etc/kernel/cmdline
|
||||
# add CDROM driver
|
||||
echo 'add_drivers+=" iso9660 "' > /etc/dracut.conf.d/cdrom.conf
|
||||
kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
|
||||
mv /boot/$MACHINEID/$KERNELVERSION /boot/efi
|
||||
# // ADD MOUNT INSTRUCTION IN INITRAMFS
|
||||
# build second initrd file that mount cdrom to /usr
|
||||
#echo 'add_fstab+=/tmp/fstab' >> /etc/dracut.conf.d/cdrom.conf
|
||||
#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,relatime,x-systemd.after=sysroot.mount,x-systemd.before=systemd-volatile-root.service 0 0" > /tmp/fstab
|
||||
#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,x-initrd.mount,nosuid,noexec,uid=0,gid=0,mode=400 0 0" > /tmp/fstab
|
||||
echo "[Unit]
|
||||
DefaultDependencies=no
|
||||
After=sysroot.mount
|
||||
Before=initrd-udevadm-cleanup-db.service
|
||||
#Before=systemd-volatile-root.service
|
||||
After=blockdev@dev-sr0.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=mount /dev/sr0 /sysroot/usr/local/lib -t iso9660 -o defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400
|
||||
" > /usr/lib/systemd/system/sysroot-usr-local-lib.service
|
||||
|
||||
# // VERSION .mount
|
||||
#[Mount]
|
||||
#Where=/sysroot/usr/local/lib
|
||||
#What=/dev/sr0
|
||||
#Type=iso9660
|
||||
#Options=defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400" > /usr/lib/systemd/system/sysroot-usr-local-lib.mount
|
||||
mkdir -p /usr/lib/systemd/system/initrd-root-fs.target.requires
|
||||
cd /usr/lib/systemd/system/initrd-root-fs.target.requires
|
||||
#ln -sf ../sysroot-usr-local-lib.mount .
|
||||
ln -sf ../sysroot-usr-local-lib.service .
|
||||
#echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.mount /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.mount "' >> /etc/dracut.conf.d/cdrom.conf
|
||||
echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.service /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.service "' >> /etc/dracut.conf.d/cdrom.conf
|
||||
kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
|
||||
mv /boot/$MACHINEID/$KERNELVERSION/initrd /boot/efi/$KERNELVERSION/initrd.cdrom
|
||||
rm -f /etc/dracut.conf.d/cdrom.conf
|
||||
// END INITRAMFS
|
||||
# rename entry file without machine ID
|
||||
mv /boot/loader/entries/$MACHINEID-$KERNELVERSION.conf /boot/loader/entries/fedora.conf
|
||||
sed -i "/^machine-id /d" /boot/loader/entries/fedora.conf
|
||||
sed -i "s@/boot/$MACHINEID/$KERNELVERSION/@/$KERNELVERSION/@g" /boot/loader/entries/fedora.conf
|
||||
# move it in EFI directory for systemd-boot
|
||||
mv /boot/loader /boot/efi
|
||||
# remove unused file
|
||||
rm -rf /lib/modules/$KERNELVERSION/vmlinuz /boot/initramfs* /boot/$MACHINEID
|
||||
# install systemd-boot
|
||||
bootctl install
|
||||
|
||||
# remove authselect and dracut
|
||||
microdnf -y remove dracut xz acl authselect authselect-compat authselect-libs chrony cpio libkcapi-hmaccalc libkcapi linux-firmware linux-firmware-whence
|
||||
# remove python3
|
||||
microdnf -y remove python3 python3-libs python-pip-wheel python-setuptools-wheel gdbm-libs
|
||||
# remove langpacks fr
|
||||
microdnf -y remove langpacks-fr langpacks-core-fr langpacks-core-font-fr dejavu-sans-fonts fonts-filesystem
|
||||
rm -f /var/lib/systemd/random-seed
|
||||
rm -rfv /var/lib/authselect
|
||||
%end
|
13
seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors
Executable file
13
seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors
Executable file
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
echo "Preprocessors"
|
||||
|
||||
if [ ! -z $https_proxy ]; then
|
||||
sed -i "s@%%EXTRA_URL%%@ --proxy=$https_proxy@g" http/ks-34.cfg
|
||||
else
|
||||
sed -i "s@%%EXTRA_URL%%@@g" http/ks-34.cfg
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,71 @@
|
|||
{
|
||||
"builders": [
|
||||
{
|
||||
"format": "qcow2",
|
||||
"headless": true,
|
||||
"output_directory": "{{user `tmp_directory`}}/output",
|
||||
"shutdown_command": "echo packer | sudo -S shutdown -P now",
|
||||
"ssh_password": "qemubuild",
|
||||
"ssh_username": "qemubuild",
|
||||
"ssh_wait_timeout": "120m",
|
||||
"type": "qemu",
|
||||
"disk_interface": "virtio",
|
||||
"vm_name": "image.img",
|
||||
"qemuargs": [
|
||||
["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
|
||||
["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
|
||||
],
|
||||
"memory": "2048",
|
||||
"vnc_bind_address": "0.0.0.0",
|
||||
"boot_command": [
|
||||
"<up>e<down><down><end> inst.text inst.gpt inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks-34.cfg <leftCtrlOn>x<leftCtrlOff> <wait>"
|
||||
],
|
||||
"disk_size": "4096",
|
||||
"iso_checksum_type": "sha256",
|
||||
"iso_checksum": "e1a38b9faa62f793ad4561b308c31f32876cfaaee94457a7a9108aaddaeec406",
|
||||
"iso_url": "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Server/x86_64/iso/Fedora-Server-netinst-x86_64-34-1.2.iso",
|
||||
"http_directory": "{{user `tmp_directory`}}/http"
|
||||
}
|
||||
],
|
||||
"provisioners": [
|
||||
{
|
||||
"type": "file",
|
||||
"source": "{{user `tmp_directory`}}/bin",
|
||||
"destination": "/tmp/bin"
|
||||
},
|
||||
{
|
||||
"type": "shell",
|
||||
"inline": [
|
||||
"sudo mv /tmp/bin/* /usr/local/bin",
|
||||
"sudo chown root: /usr/local/bin/*",
|
||||
"sudo chmod +x /usr/local/bin/*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "{{user `tmp_directory`}}/scripts",
|
||||
"destination": "/tmp/scripts"
|
||||
},
|
||||
{
|
||||
"type": "shell",
|
||||
"inline": [
|
||||
"sudo chown root: /tmp/scripts/*",
|
||||
"sudo chmod +x /tmp/scripts/*",
|
||||
"sudo risotto-run-parts /tmp/scripts/"
|
||||
]
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
{
|
||||
"type": "shell-local",
|
||||
"inline": [
|
||||
"sleep 5",
|
||||
"mkdir -p {{user `tmp_directory`}}/tmp",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sysprep -a {{user `tmp_directory`}}/output/image.img",
|
||||
"LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/image.img",
|
||||
"sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
|
||||
"rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
set -xe
|
||||
|
||||
echo VACUUM |sqlite3 /var/lib/rpm/rpmdb.sqlite
|
||||
|
||||
exit 0
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -xe
|
||||
|
||||
find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
|
||||
find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
|
||||
find /usr/share/terminfo -mindepth 1 -maxdepth 1 ! -name l ! -name d ! -name s -exec rm -rf '{}' \;
|
||||
find /usr/share/terminfo/s/screen -type f ! -name screen-256color -delete
|
||||
find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
|
||||
find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
|
||||
rm -rf /usr/lib/kbd/consoletrans
|
||||
rm -rf /usr/lib/kbd/unimaps
|
||||
rm -rf /usr/lib/kernel
|
||||
rm -rf /usr/lib/systemd/boot
|
||||
rm -rf /usr/share/bash-completion
|
||||
rm -rf /usr/share/pkgconfig
|
||||
rm -rf /usr/share/licenses/
|
||||
rm -rf /usr/lib/debug
|
||||
exit 0
|
|
@ -0,0 +1,2 @@
|
|||
d /var/log/audit 755 root root - -
|
||||
d /var/log/journal 755 root systemd-journal - -
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Update CA trust
|
||||
Before=network-pre.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/update-ca-trust
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
format: '0.1'
|
||||
description: Information de base d'un serveur
|
|
@ -0,0 +1,79 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name='general' description="Général">
|
||||
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
|
||||
<variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
|
||||
<variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
|
||||
<variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="dns" description="DNS">
|
||||
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
|
||||
<variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
|
||||
</family>
|
||||
<family name="interface_" description="Interface " dynamic="interfaces_list">
|
||||
<variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
|
||||
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
|
||||
<variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
|
||||
<variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
|
||||
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">dns_client_address</param>
|
||||
<param name="linked_provider">dns</param>
|
||||
<param name="linked_value" type="variable">ip_eth0</param>
|
||||
<param name="linked_returns">ip</param>
|
||||
<target>ip_dns</target>
|
||||
</fill>
|
||||
<fill name="get_number_of_interfaces">
|
||||
<param type="information">zones_name</param>
|
||||
<target>number_of_interfaces</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="information">zones_name</param>
|
||||
<target>zones_list</target>
|
||||
</fill>
|
||||
<fill name="get_range">
|
||||
<param type="variable">number_of_interfaces</param>
|
||||
<target>interfaces_list</target>
|
||||
</fill>
|
||||
<fill name="get_ip">
|
||||
<param name="server_name" type="information">server_name</param>
|
||||
<param name="zones_name" type="information">zones_name</param>
|
||||
<param name="index" type="suffix"/>
|
||||
<target>ip_eth</target>
|
||||
</fill>
|
||||
<!-- Return "server_name" only for domain_name_eth0 -->
|
||||
<fill name="get_domain_name">
|
||||
<param type="information">server_name</param>
|
||||
<param type="information">extra_domainnames</param>
|
||||
<param type="suffix"/>
|
||||
<target>domain_name_eth</target>
|
||||
</fill>
|
||||
<fill name="get_zone_name">
|
||||
<param type="information">zones_name</param>
|
||||
<param name="index" type="suffix"/>
|
||||
<target>zone_name_eth</target>
|
||||
</fill>
|
||||
<fill name="zone_information">
|
||||
<param type="variable">zone_name_eth</param>
|
||||
<param>network</param>
|
||||
<target>network_eth</target>
|
||||
</fill>
|
||||
<fill name="zone_information">
|
||||
<param type="variable">zone_name_eth</param>
|
||||
<param>gateway</param>
|
||||
<param name="index" type="suffix"/>
|
||||
<target>gateway_eth</target>
|
||||
</fill>
|
||||
<check name="valid_entier">
|
||||
<param name="mini" type="number">1</param>
|
||||
<target>number_of_interfaces</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name='name' description="Machine name" type="domainname" hidden="True"/>
|
||||
<variable name='data_disk_size' description="Data disk size" type="number"/>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">domain_name_eth0</param>
|
||||
<target>machine.name</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
95
seed/applicationservice/2022.03.08/base/funcs/funcs.py
Normal file
95
seed/applicationservice/2022.03.08/base/funcs/funcs.py
Normal file
|
@ -0,0 +1,95 @@
|
|||
import __main__
|
||||
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
|
||||
from string import ascii_letters as _ascii_letters
|
||||
from random import choice as _choice
|
||||
from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
|
||||
from os import makedirs as _makedirs
|
||||
|
||||
|
||||
HERE = _dirname(_abspath(__main__.__file__))
|
||||
PASSWORD_DIR = _join(HERE, 'password')
|
||||
|
||||
|
||||
def get_password(server_name: str,
|
||||
username: str,
|
||||
description: str,
|
||||
type: str,
|
||||
length: int=20,
|
||||
temporary: bool=True,
|
||||
) -> str:
|
||||
if type != 'cleartext':
|
||||
raise Exception('only cleartext is supported')
|
||||
def gen_password():
|
||||
return _token_urlsafe(length)[:length]
|
||||
return _set_password(server_name,
|
||||
username,
|
||||
description,
|
||||
gen_password,
|
||||
temporary,
|
||||
)
|
||||
|
||||
|
||||
def get_password_alpha_num(server_name,
|
||||
username: str,
|
||||
description: str,
|
||||
length,
|
||||
starts_with_char=False,
|
||||
):
|
||||
def gen_password():
|
||||
password = _token_hex()
|
||||
if starts_with_char:
|
||||
password = _choice(_ascii_letters) + password
|
||||
return password[:length]
|
||||
return _set_password(server_name,
|
||||
username,
|
||||
description,
|
||||
gen_password,
|
||||
True,
|
||||
)
|
||||
|
||||
|
||||
def _set_password(server_name: str,
|
||||
username: str,
|
||||
description: str,
|
||||
gen_password,
|
||||
temporary,
|
||||
) -> str:
|
||||
if not server_name or not username:
|
||||
return
|
||||
dir_name = _join('password', server_name, description)
|
||||
if not _isdir(dir_name):
|
||||
_makedirs(dir_name)
|
||||
file_name = _join(dir_name, username)
|
||||
if not _isfile(file_name):
|
||||
password = gen_password()
|
||||
with open(file_name, 'w') as fh:
|
||||
fh.write(password)
|
||||
with open(file_name, 'r') as fh:
|
||||
return fh.read().strip()
|
||||
|
||||
|
||||
def get_range(stop):
|
||||
return list(range(stop))
|
||||
|
||||
|
||||
def get_number_of_interfaces(zones):
|
||||
if zones is None:
|
||||
return 1
|
||||
return len(zones)
|
||||
|
||||
|
||||
def get_zone_name(zones: list,
|
||||
index: str,
|
||||
):
|
||||
if zones is not None:
|
||||
return zones[int(index)]
|
||||
|
||||
|
||||
def get_domain_name(server_name: str,
|
||||
extra_domainnames: list,
|
||||
suffix: str,
|
||||
) -> str:
|
||||
index = int(suffix)
|
||||
if index == 0:
|
||||
return server_name
|
||||
return extra_domainnames[index - 1]
|
|
@ -0,0 +1,11 @@
|
|||
# root dir configuration
|
||||
RISOTTO_DIR="/var/lib/risotto"
|
||||
RISOTTO_IMAGE_DIR="$RISOTTO_DIR/images"
|
||||
RISOTTO_SRV_DIR="$RISOTTO_DIR/srv"
|
||||
RISOTTO_CONFIG_DIR="$RISOTTO_DIR/configurations"
|
||||
MACHINES_DIR="/var/lib/machines"
|
||||
# image configuration
|
||||
IMAGE_BASE_RISOTTO_BASE_DIR="$RISOTTO_IMAGE_DIR/image_bases"
|
||||
IMAGE_NAME_RISOTTO_IMAGE_DIR="$RISOTTO_IMAGE_DIR/$IMAGE_NAME"
|
||||
IMAGE_NAME_RISOTTO_IMAGE_NAME="$RISOTTO_IMAGE_DIR/$IMAGE_NAME".tar
|
||||
IMAGE_NAME_MACHINE_LOCK="$MACHINES_DIR/.#$IMAGE_NAME.lck"
|
|
@ -0,0 +1,14 @@
|
|||
# machine configuration
|
||||
MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE"
|
||||
MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE"
|
||||
MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE"
|
||||
MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE"
|
||||
MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE"
|
||||
HOST_DIR="host/configurations/$HOST_NAME"
|
||||
MACHINE_NAME_NSPAWN="/etc/systemd/nspawn/$MACHINE.nspawn"
|
||||
MACHINE_NAME_NSPAWN_LOCAL="$HOST_DIR$MACHINE_NAME_NSPAWN"
|
||||
MACHINE_NAME_SCRIPT="/usr/local/lib/sbin/network-$MACHINE"
|
||||
MACHINE_NAME_SCRIPT_LOCAL="$HOST_DIR$MACHINE_NAME_SCRIPT"
|
||||
#MACHINE_MACHINE_LOCK="$MACHINES_DIR/.#$MACHINE.lck"
|
||||
SHA_MACHINE_DIR="$RISOTTO_CONFIG_DIR/sha"
|
||||
SHA_MACHINE="$SHA_MACHINE_DIR/$MACHINE".sha
|
53
seed/applicationservice/2022.03.08/base/manual/install/diff.py
Executable file
53
seed/applicationservice/2022.03.08/base/manual/install/diff.py
Executable file
|
@ -0,0 +1,53 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
|
||||
from os.path import join
|
||||
from filecmp import dircmp
|
||||
from difflib import unified_diff
|
||||
from sys import stdout, argv
|
||||
from datetime import datetime, timezone
|
||||
|
||||
|
||||
os_name = argv[1]
|
||||
OLD_DIR = argv[2]
|
||||
NEW_DIR = argv[3]
|
||||
FILES = []
|
||||
def diff_files(dcmp):
|
||||
for name in dcmp.diff_files:
|
||||
FILES.append(join(dcmp.right[len(NEW_DIR):], name))
|
||||
for sub_dcmp in dcmp.subdirs.values():
|
||||
diff_files(sub_dcmp)
|
||||
|
||||
|
||||
dcmp = dircmp(OLD_DIR, NEW_DIR)
|
||||
diff_files(dcmp)
|
||||
|
||||
date = datetime.now(timezone.utc).isoformat()
|
||||
title = f"Nouvelle version de la configuration de {os_name}"
|
||||
subtitle = f"Différence entre les fichiers de configuration de {os_name}"
|
||||
print(f"""+++
|
||||
title = "{title}"
|
||||
description = "{subtitle}"
|
||||
date = {date}
|
||||
updated = {date}
|
||||
draft = false
|
||||
template = "blog/page.html"
|
||||
|
||||
[taxonomies]
|
||||
authors = ["Automate"]
|
||||
|
||||
[extra]
|
||||
lead = "{subtitle}."
|
||||
type = "installe"
|
||||
+++
|
||||
""")
|
||||
for filename in FILES:
|
||||
with open(join(OLD_DIR, filename[1:]), 'r') as ori:
|
||||
ori_content = ori.readlines()
|
||||
with open(join(NEW_DIR, filename[1:]), 'r') as new:
|
||||
new_content = new.readlines()
|
||||
print(f'- mise à jour du fichier {filename} :\n')
|
||||
print('```diff')
|
||||
for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
|
||||
print(line.rstrip())
|
||||
print('```')
|
27
seed/applicationservice/2022.03.08/base/manual/install/install_host
Executable file
27
seed/applicationservice/2022.03.08/base/manual/install/install_host
Executable file
|
@ -0,0 +1,27 @@
|
|||
#!/bin/bash -xe
|
||||
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
echo "usage: $0 host name"
|
||||
exit 1
|
||||
fi
|
||||
apt install --yes systemd-container dnf jq debootstrap htop
|
||||
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
|
||||
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
|
||||
systemctl daemon-reload
|
||||
systemctl restart systemd-sysctl.service
|
||||
systemctl enable systemd-networkd
|
||||
systemctl restart systemd-networkd
|
||||
systemctl enable systemd-resolved
|
||||
systemctl restart systemd-resolved
|
||||
# systemctl mask dev-hugepages.mount
|
||||
|
||||
#nft add table nat
|
||||
#nft flush table nat;
|
||||
#nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
|
||||
#nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
|
||||
#nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
|
||||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
|
||||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
|
||||
|
||||
exit 0
|
161
seed/applicationservice/2022.03.08/base/manual/install/install_image
Executable file
161
seed/applicationservice/2022.03.08/base/manual/install/install_image
Executable file
|
@ -0,0 +1,161 @@
|
|||
#!/bin/bash -xe
|
||||
|
||||
HOST_NAME=$1
|
||||
IMAGE_NAME=$2
|
||||
|
||||
if [ -z "$IMAGE_NAME" ]; then
|
||||
echo "PAS DE NOM DE MODULE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
. config.sh
|
||||
|
||||
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
|
||||
mkdir -p "$RISOTTO_IMAGE_DIR"
|
||||
PKG=""
|
||||
BASE_DIR=""
|
||||
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
|
||||
. "$script"
|
||||
done
|
||||
|
||||
if [ -z "$OS_NAME" ]; then
|
||||
echo "NO OS NAME DEFINED"
|
||||
exit 0
|
||||
fi
|
||||
if [ -z "$RELEASEVER" ]; then
|
||||
echo "NO RELEASEVER DEFINED"
|
||||
exit 0
|
||||
fi
|
||||
if [ -z "$INSTALL_TOOL" ]; then
|
||||
echo "NO INSTALL TOOL DEFINED"
|
||||
exit 0
|
||||
fi
|
||||
BASE_NAME="$OS_NAME-$RELEASEVER"
|
||||
BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
|
||||
BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
|
||||
BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
|
||||
BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
|
||||
|
||||
function dnf_opt() {
|
||||
INSTALL_DIR=$1
|
||||
INSTALL_PKG=$2
|
||||
echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
|
||||
}
|
||||
function new_package_base() {
|
||||
if [ "$INSTALL_TOOL" = "dnf" ]; then
|
||||
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
|
||||
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
|
||||
else
|
||||
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
|
||||
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
|
||||
fi
|
||||
}
|
||||
function install_base() {
|
||||
if [ "$INSTALL_TOOL" = "dnf" ]; then
|
||||
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
|
||||
dnf --assumeyes $OPT
|
||||
fi
|
||||
}
|
||||
function new_package() {
|
||||
if [ "$INSTALL_TOOL" = "dnf" ]; then
|
||||
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
|
||||
dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
|
||||
else
|
||||
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
|
||||
fi
|
||||
}
|
||||
function install_pkg() {
|
||||
if [ "$INSTALL_TOOL" = "dnf" ]; then
|
||||
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
|
||||
dnf --assumeyes $OPT
|
||||
else
|
||||
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if [ ! -f "$BASE_LOCK" ]; then
|
||||
rm -rf "$BASE_DIR"
|
||||
new_package_base
|
||||
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
|
||||
if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
|
||||
mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
||||
install_base
|
||||
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
||||
tar cf "$BASE_TAR" "$BASE_NAME"
|
||||
cd -
|
||||
if [ -f "$BASE_PKGS_FILE" ]; then
|
||||
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
|
||||
fi
|
||||
mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
|
||||
rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
||||
fi
|
||||
rm -rf "$BASE_DIR"
|
||||
touch "$BASE_LOCK"
|
||||
fi
|
||||
|
||||
tar xf "$BASE_TAR"
|
||||
mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||
if [ -n "$COPR" ]; then
|
||||
#FIXME signature...
|
||||
mkdir -p "$REPO_DIR"
|
||||
cd "$REPO_DIR"
|
||||
wget "$COPR"
|
||||
cd -
|
||||
fi
|
||||
|
||||
# FIXME verifier s'il y a des modifs sur pre/post
|
||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
|
||||
echo "Différence(s) avec les paquets de base"
|
||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
|
||||
else
|
||||
NEW_BASE=true
|
||||
fi
|
||||
new_package
|
||||
if [ "$NEW_BASE" = false ]; then
|
||||
echo "Différence(s) avec les paquets de l'image"
|
||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
|
||||
else
|
||||
INSTALL=true
|
||||
fi
|
||||
if [ "$INSTALL" = true ]; then
|
||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
|
||||
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
|
||||
else
|
||||
VERSION=0
|
||||
fi
|
||||
mkdir tmp
|
||||
cd tmp
|
||||
if [ ! "$VERSION" = 0 ]; then
|
||||
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
|
||||
fi
|
||||
../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
|
||||
cd -
|
||||
rm -rf tmp
|
||||
install_pkg
|
||||
sleep 2
|
||||
|
||||
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
|
||||
. "$script"
|
||||
done
|
||||
|
||||
CONTAINER=$IMAGE_NAME ./make_volatile /etc
|
||||
if [ ! "$?" = 0 ]; then
|
||||
echo "make_volatile failed"
|
||||
exit 1
|
||||
fi
|
||||
cd "$RISOTTO_IMAGE_DIR"
|
||||
#7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
|
||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
|
||||
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
|
||||
fi
|
||||
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
|
||||
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
|
||||
cd -
|
||||
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
|
||||
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
|
||||
VERSION=$((VERSION + 1))
|
||||
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
|
||||
fi
|
||||
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||
exit 0
|
15
seed/applicationservice/2022.03.08/base/manual/install/install_images
Executable file
15
seed/applicationservice/2022.03.08/base/manual/install/install_images
Executable file
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash -xe
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
echo "usage: $0 host name"
|
||||
exit 1
|
||||
fi
|
||||
. config.sh
|
||||
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
|
||||
for image in *; do
|
||||
if [ -d "$image" ]; then
|
||||
./install_image "$HOST_NAME" "$image"
|
||||
fi
|
||||
done
|
||||
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
|
||||
exit 0
|
51
seed/applicationservice/2022.03.08/base/manual/install/install_machine
Executable file
51
seed/applicationservice/2022.03.08/base/manual/install/install_machine
Executable file
|
@ -0,0 +1,51 @@
|
|||
#!/bin/bash -xe
|
||||
HOST_NAME=$1
|
||||
IMAGE_NAME=$2
|
||||
MACHINE=$3
|
||||
. config.sh
|
||||
. config_machine.sh
|
||||
if [ -z "$MACHINE" ]; then
|
||||
echo "usage: $0 name pkg dns_name"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -f "$MACHINE_NAME_NSPAWN_LOCAL" ]; then
|
||||
echo "PAS DE CONFIG NSPAWN $MACHINE_NAME_NSPAWN_LOCAL"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
|
||||
echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME"
|
||||
exit 1
|
||||
fi
|
||||
if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
|
||||
machinectl stop "$MACHINE" 2> /dev/null || true
|
||||
while true; do
|
||||
machinectl status "$MACHINE" > /dev/null 2>&1 || break
|
||||
sleep 1
|
||||
echo "retry..."
|
||||
done
|
||||
diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || rm -rf "$MACHINE_MACHINES_DIR"
|
||||
fi
|
||||
if [ -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
|
||||
# fait un diff
|
||||
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || ( ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md; rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" )
|
||||
fi
|
||||
|
||||
cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
|
||||
cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
|
||||
if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
|
||||
cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
|
||||
fi
|
||||
if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
|
||||
mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
|
||||
fi
|
||||
if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
|
||||
cd "$MACHINES_DIR"
|
||||
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
|
||||
mkdir -p "$SHA_MACHINE_DIR"
|
||||
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
|
||||
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
|
||||
cd -
|
||||
fi
|
||||
|
||||
exit 0
|
25
seed/applicationservice/2022.03.08/base/manual/install/install_machines
Executable file
25
seed/applicationservice/2022.03.08/base/manual/install/install_machines
Executable file
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash -xe
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
echo "usage: $0 host name"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
MACHINES=""
|
||||
for image in *; do
|
||||
if [ -d "$image" ]; then
|
||||
for os in $image/configurations/*; do
|
||||
if [ -d "$os" ]; then
|
||||
osname="$(basename $os)"
|
||||
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
|
||||
MACHINES="$MACHINES$osname "
|
||||
fi
|
||||
./install_machine "$HOST_NAME" "$image" "$osname"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
machinectl enable $MACHINES
|
||||
machinectl start $MACHINES
|
||||
|
||||
exit 0
|
178
seed/applicationservice/2022.03.08/base/manual/install/make_changelog
Executable file
178
seed/applicationservice/2022.03.08/base/manual/install/make_changelog
Executable file
|
@ -0,0 +1,178 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
|
||||
import logging
|
||||
from dnf.conf import Conf
|
||||
from dnf.cli.cli import BaseCli, Cli
|
||||
from dnf.cli.output import Output
|
||||
from dnf.cli.option_parser import OptionParser
|
||||
from dnf.i18n import _, ucd
|
||||
from datetime import datetime, timezone
|
||||
from sys import argv
|
||||
from os import getcwd, unlink
|
||||
from os.path import isfile, join
|
||||
from glob import glob
|
||||
from subprocess import run
|
||||
|
||||
|
||||
# List new or removed file
|
||||
def read_dnf_pkg_file(os_name, filename1, filename2):
|
||||
if os_name == 'debian':
|
||||
idx_pkg = 0, 1
|
||||
idx_version = 1, 2
|
||||
header_idx = 0, 0
|
||||
else:
|
||||
idx_pkg = 0, 0
|
||||
idx_version = 2, 2
|
||||
header_idx = 2, 2
|
||||
pass
|
||||
pkgs = {}
|
||||
for fidx, filename in enumerate((filename1, filename2)):
|
||||
if not isfile(filename):
|
||||
continue
|
||||
with open(filename, 'r') as pkgs_fh:
|
||||
for idx, pkg_line in enumerate(pkgs_fh.readlines()):
|
||||
if idx < header_idx[fidx]:
|
||||
# header
|
||||
print("béééé")
|
||||
continue
|
||||
sp_line = pkg_line.strip().split()
|
||||
if len(sp_line) < idx_version[fidx] + 1:
|
||||
continue
|
||||
if sp_line[idx_pkg[fidx]] in pkgs:
|
||||
raise Exception(f'package already set {sp_line[0]}?')
|
||||
version = sp_line[idx_version[fidx]]
|
||||
if os_name == 'debian' and version.startswith('('):
|
||||
version = version[1:]
|
||||
pkgs[sp_line[idx_pkg[fidx]]] = version
|
||||
return pkgs
|
||||
|
||||
|
||||
def list_packages(title, packages, packages_info):
|
||||
print(f'# {title}\n')
|
||||
if not packages:
|
||||
print('*Aucun*')
|
||||
packages = list(packages)
|
||||
packages = sorted(packages)
|
||||
for idx, pkg in enumerate(packages):
|
||||
print(f' - {pkg} ({packages_info[pkg]})')
|
||||
print()
|
||||
|
||||
|
||||
# List updated packages
|
||||
class CustomOutput(Output):
|
||||
def listPkgs(self, *args, **kwargs):
|
||||
# do not display list
|
||||
pass
|
||||
|
||||
|
||||
def format_changelog_markdown(changelog):
|
||||
"""Return changelog formatted as in spec file"""
|
||||
text = '\n'.join([f' {line}' for line in changelog['text'].split('\n')])
|
||||
chlog_str = ' - %s %s\n\n%s\n' % (
|
||||
changelog['timestamp'].strftime("%a %b %d %X %Y"),
|
||||
ucd(changelog['author']),
|
||||
ucd(text))
|
||||
return chlog_str
|
||||
|
||||
|
||||
def print_changelogs_markdown(packages):
|
||||
# group packages by src.rpm to avoid showing duplicate changelogs
|
||||
self = BASE
|
||||
bysrpm = dict()
|
||||
for p in packages:
|
||||
# there are packages without source_name, use name then.
|
||||
bysrpm.setdefault(p.source_name or p.name, []).append(p)
|
||||
for source_name in sorted(bysrpm.keys()):
|
||||
bin_packages = bysrpm[source_name]
|
||||
print('- ' + _("Changelogs for {}").format(', '.join([str(pkg) for pkg in bin_packages])))
|
||||
print()
|
||||
for chl in self.latest_changelogs(bin_packages[0]):
|
||||
print(format_changelog_markdown(chl))
|
||||
|
||||
|
||||
def dnf_update(image_name):
|
||||
conf = Conf()
|
||||
# obsoletes are already listed
|
||||
conf.obsoletes = False
|
||||
with BaseCli(conf) as base:
|
||||
global BASE
|
||||
BASE = base
|
||||
base.print_changelogs = print_changelogs_markdown
|
||||
custom_output = CustomOutput(base.output.base, base.output.conf)
|
||||
base.output = custom_output
|
||||
cli = Cli(base)
|
||||
image_dir = join(getcwd(), image_name)
|
||||
cli.configure(['--setopt=install_weak_deps=False', '--nodocs', '--noplugins', '--installroot=' + image_dir, '--releasever', '35', 'check-update', '--changelog'], OptionParser())
|
||||
logger = logging.getLogger("dnf")
|
||||
for h in logger.handlers:
|
||||
logger.removeHandler(h)
|
||||
logger.addHandler(logging.NullHandler())
|
||||
cli.run()
|
||||
|
||||
|
||||
def main(os_name, image_name, old_version, releasever):
|
||||
date = datetime.now(timezone.utc).isoformat()
|
||||
if old_version == 0:
|
||||
title = f"Création de l'image {image_name}"
|
||||
subtitle = f"Les paquets de la première image {image_name} sur base Fedora {releasever}"
|
||||
else:
|
||||
title = f"Nouvelle version de l'image {image_name}"
|
||||
subtitle = f"Différence des paquets de l'image {image_name} sur base Fedora {releasever} entre la version {old_version} et {old_version + 1}"
|
||||
print(f"""+++
|
||||
title = "{title}"
|
||||
description = "{subtitle}"
|
||||
date = {date}
|
||||
updated = {date}
|
||||
draft = false
|
||||
template = "blog/page.html"
|
||||
|
||||
[taxonomies]
|
||||
authors = ["Automate"]
|
||||
|
||||
[extra]
|
||||
lead = "{subtitle}."
|
||||
type = "installe"
|
||||
+++
|
||||
""")
|
||||
new_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/image_bases-{os_name}-{releasever}.pkgs', f'/var/lib/risotto/images/{image_name}.pkgs.new')
|
||||
new_pkg = new_dict.keys()
|
||||
old_file = f'/var/lib/risotto/images/{image_name}.pkgs'
|
||||
if not old_version or not isfile(old_file):
|
||||
list_packages('Liste des paquets', new_pkg, new_dict)
|
||||
else:
|
||||
ori_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/{image_name}.base.pkgs', old_file)
|
||||
ori_pkg = ori_dict.keys()
|
||||
list_packages('Les paquets supprimés', ori_pkg - new_pkg, ori_dict)
|
||||
list_packages('Les paquets ajoutés', new_pkg - ori_pkg, new_dict)
|
||||
print('# Les paquets mises à jour\n')
|
||||
if os_name == 'fedora':
|
||||
dnf_update(image_name)
|
||||
else:
|
||||
for filename in glob('*.deb'):
|
||||
unlink(filename)
|
||||
for package in ori_pkg & new_dict:
|
||||
if ori_dict[package] == new_dict[package]:
|
||||
continue
|
||||
run(['apt', 'download', package])
|
||||
packages = list(glob('*.deb'))
|
||||
packages.sort()
|
||||
for package in packages:
|
||||
info = run(['apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
|
||||
header = True
|
||||
for line in info.split('\n'):
|
||||
if not header:
|
||||
print(line)
|
||||
if line.startswith('-----------------------'):
|
||||
header = False
|
||||
print()
|
||||
unlink(package)
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
image_name = argv[1]
|
||||
old_version = int(argv[2])
|
||||
os_name = argv[3]
|
||||
releasever = argv[4]
|
||||
main(os_name, image_name, old_version, releasever)
|
77
seed/applicationservice/2022.03.08/base/manual/install/make_volatile
Executable file
77
seed/applicationservice/2022.03.08/base/manual/install/make_volatile
Executable file
|
@ -0,0 +1,77 @@
|
|||
#!/bin/bash -e
|
||||
if [ -z $CONTAINER ]; then
|
||||
echo "PAS DE CONTAINER"
|
||||
exit 1
|
||||
fi
|
||||
ROOT="/var/lib/risotto/images/$CONTAINER"
|
||||
echo "$ROOT"
|
||||
DESTDIR="$ROOT/usr/lib/tmpfiles.d"
|
||||
CONF_DST="/usr/share/factory"
|
||||
EXCLUDES="^($ROOT/etc/passwd|$ROOT/etc/group|$ROOT/etc/.updated|$ROOT/etc/.pwd.lock|$ROOT/etc/systemd/network/dhcp.network|$ROOT/etc/sudoers.d/qemubuild)$"
|
||||
ONLY_COPY="^($ROOT/etc/localtime)$"
|
||||
FORCE_LINKS="^($ROOT/etc/udev/hwdb.bin)$"
|
||||
|
||||
function execute() {
|
||||
chroot $ROOT $@
|
||||
}
|
||||
|
||||
function file_dir_in_tmpfiles() {
|
||||
letter=$1
|
||||
directory=$2
|
||||
local_directory=$(echo $directory|sed "s@^$ROOT@@g")
|
||||
mode=$(execute "/usr/bin/stat" "--format" "%a" "$local_directory" | grep -o "[0-9.]\+")
|
||||
user=$(execute "/usr/bin/stat" "--format" "%U" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
|
||||
group=$(execute "/usr/bin/stat" "--format" "%G" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
|
||||
echo "$letter $local_directory $mode $user $group - -"
|
||||
}
|
||||
|
||||
function calc_symlink_in_tmpfiles() {
|
||||
dest_name=$1
|
||||
local_dest_name=$2
|
||||
src_file=$(readlink "$dest_name")
|
||||
symlink_in_tmpfiles "$local_dest_name" "$src_file"
|
||||
}
|
||||
|
||||
function symlink_in_tmpfiles() {
|
||||
dest_name=$1
|
||||
src_file=$2
|
||||
echo "L+ $dest_name - - - - $src_file"
|
||||
}
|
||||
|
||||
function main() {
|
||||
dir_config_orig=$1
|
||||
name="${dir_config_orig//\//-}"
|
||||
dir_config_orig=$ROOT$dir_config_orig
|
||||
|
||||
mkdir -p "$DESTDIR"
|
||||
mkdir -p "$ROOTCONF_DST$dir_config_orig"
|
||||
systemd_conf="$DESTDIR/risotto$name.conf"
|
||||
rm -f $systemd_conf
|
||||
shopt -s globstar
|
||||
for src_file in $dir_config_orig/**; do
|
||||
local_src=$(echo $src_file|sed "s@$ROOT@@g")
|
||||
dest_file="$ROOT$CONF_DST$local_src"
|
||||
if [[ "$src_file" =~ $EXCLUDES ]]; then
|
||||
echo "$src_file: exclude" >&2
|
||||
elif [[ -L "$src_file" ]]; then
|
||||
calc_symlink_in_tmpfiles "$src_file" "$local_src" >> $systemd_conf
|
||||
elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
|
||||
symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
|
||||
elif [[ -d "$src_file" ]]; then
|
||||
file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
|
||||
[[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
|
||||
#echo "$src_file: directory ok"
|
||||
else
|
||||
if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
|
||||
file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
|
||||
fi
|
||||
[[ -e "$dest_file" ]] && rm -f "$dest_file"
|
||||
# not a symlink... an hardlink
|
||||
ln "$src_file" "$dest_file"
|
||||
#echo "$src_file: file ok"
|
||||
fi
|
||||
done
|
||||
}
|
||||
main "$1"
|
||||
echo "fin"
|
||||
exit 0
|
67
seed/applicationservice/2022.03.08/dovecot/DEBUG.md
Normal file
67
seed/applicationservice/2022.03.08/dovecot/DEBUG.md
Normal file
|
@ -0,0 +1,67 @@
|
|||
# recherche d'un utilisateur :
|
||||
|
||||
```
|
||||
USER=gnunux@gnunux.info
|
||||
su - postfix -s /bin/bash -c "postmap -q $USER ldap:/etc/postfix/ldapsource.cf"
|
||||
```
|
||||
Doit retourner le nom de l'utilisateur.
|
||||
|
||||
Il est possible de demander le mode verbeux :
|
||||
|
||||
```
|
||||
su - postfix -s /bin/bash -c "postmap -vq $USER ldap:/etc/postfix/ldapsource.cf"
|
||||
```
|
||||
|
||||
# Test with telnet
|
||||
|
||||
EHLO root.gnunux.info
|
||||
[..]
|
||||
250-AUTH PLAIN LOGIN
|
||||
[..]
|
||||
MAIL FROM:<gnunux@gnunux.info>
|
||||
RCPT TO:<gnunux@gnunux.info>
|
||||
DATA
|
||||
To:<gnunux@gnunux.info>
|
||||
From:<gnunux@gnunux.info>
|
||||
Subject:SMTP Test
|
||||
This is a test message
|
||||
|
||||
.
|
||||
|
||||
# auth with telnet
|
||||
|
||||
echo -ne '\000gnunux@gnunux.info\000password' | openssl base64
|
||||
openssl s_client -connect 192.168.45.13:25 -starttls smtp
|
||||
EHLO client.example.com
|
||||
[..]
|
||||
AUTH PLAIN AGdudW51eEBnbnVudXguaW5mbwBxVV96Vl9kbEUzUm82WmpTcjFHOGNzbmd4ajA=
|
||||
235 2.7.0 Authentication successful
|
||||
|
||||
# Un élément de configuration
|
||||
|
||||
postconf maillog_file
|
||||
|
||||
# Editer la configuration
|
||||
|
||||
postconf maillog_file=/dev/stdout
|
||||
|
||||
# debug
|
||||
|
||||
You can easily print the last 1000 error messages of a running Dovecot:
|
||||
|
||||
doveadm log errors
|
||||
|
||||
## debug
|
||||
|
||||
sed -i 's/#mail_debug = no/mail_debug = yes/g' /etc/dovecot/conf.d/10-logging.conf
|
||||
systemctl restart dovecot
|
||||
|
||||
## ldap debug
|
||||
|
||||
echo "debug_level = -1" >> /etc/dovecot/dovecot-ldap.conf.ext
|
||||
systemctl restart dovecot
|
||||
|
||||
## oauth debug
|
||||
|
||||
echo "debug = yes" >> /etc/dovecot/dovecot-oauth2.conf.ext
|
||||
systemctl restart dovecot
|
2
seed/applicationservice/2022.03.08/dovecot/FIXME
Normal file
2
seed/applicationservice/2022.03.08/dovecot/FIXME
Normal file
|
@ -0,0 +1,2 @@
|
|||
SPF : https://www.djaodjin.com/blog/postfix-dovecot-openldap.blog.html
|
||||
Postcreen : modoboa_installer/scripts/files/postfix/main.cf.tpl
|
|
@ -0,0 +1,7 @@
|
|||
format: '0.1'
|
||||
description: Postfix et Dovecot
|
||||
depends:
|
||||
- base-fedora-35
|
||||
- relay-mail-client
|
||||
- ldap-client-fedora
|
||||
- oauth2-client
|
|
@ -0,0 +1,107 @@
|
|||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="postfix" target="multi-user">
|
||||
<override/>
|
||||
<file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
|
||||
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
|
||||
<file>/etc/postfix/main.cf</file>
|
||||
<file>/etc/postfix/master.cf</file>
|
||||
<file>/etc/postfix/ldapsource.cf</file>
|
||||
<file>/etc/postfix/relay_passwd</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
|
||||
<file>/etc/pki/tls/certs/postfix.crt</file>
|
||||
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
|
||||
</service>
|
||||
<service name='dovecot-init'>
|
||||
<override/>
|
||||
</service>
|
||||
<service name="dovecot" target="multi-user">
|
||||
<file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
|
||||
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
|
||||
<file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
|
||||
<file>/etc/dovecot/conf.d/10-master.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/10-ssl.conf</file>
|
||||
<!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
|
||||
<file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
|
||||
<!--plain authentification-->
|
||||
<file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
|
||||
<file>/etc/dovecot/dovecot-ldap.conf.ext</file>
|
||||
<!--oauth2 authentification-->
|
||||
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
|
||||
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
|
||||
<!--internal authentification-->
|
||||
<file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
|
||||
<file>/etc/dovecot/risotto_users</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
|
||||
<file>/etc/pki/tls/certs/dovecot.crt</file>
|
||||
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<variable name="ldap_key_file_owner" redefine="True">
|
||||
<value>dovecot</value>
|
||||
</variable>
|
||||
<variable name="ldap_key_file_group" redefine="True">
|
||||
<value>postfix</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="postfix" description="Postfix mail server">
|
||||
<variable name="postfix_my_domains" type="domainname" description="Domaine de courriel généré localement" mandatory="True" multi="True"/>
|
||||
<variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
|
||||
</family>
|
||||
<family name="dovecot" description="IMAP mail server">
|
||||
<variable name='dovecot_ca_chain' description="CA certificate" hidden='True'/>
|
||||
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
|
||||
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
|
||||
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
|
||||
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
|
||||
</family>
|
||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
||||
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">domain_name_eth0</param>
|
||||
<param name="authority_name">MailServer</param>
|
||||
<target>postfix_ca_chain</target>
|
||||
</fill>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">domain_name_eth0</param>
|
||||
<param name="authority_name">IMAPServer</param>
|
||||
<target>dovecot_ca_chain</target>
|
||||
</fill>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type="suffix"/>
|
||||
<param name="description">local authentification</param>
|
||||
<param name="type">cleartext</param>
|
||||
<target>local_authentification_password_</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">smtp_relay_address</param>
|
||||
<param name="linked_provider">lmtp_server</param>
|
||||
<param name="linked_value" type="variable">domain_name_eth0</param>
|
||||
<target>postfix_my_domains</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">smtp_relay_address</param>
|
||||
<param name="linked_provider">lmtp_criteria</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>postfix_my_domains</target>
|
||||
</check>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_ReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
|
@ -0,0 +1,9 @@
|
|||
from crypt import crypt as _crypt
|
||||
from string import ascii_letters as _ascii_letters, digits as _digits
|
||||
from secrets import choice as _choice
|
||||
|
||||
|
||||
def sha512_crypt(password):
|
||||
salt = ''.join([_choice(_ascii_letters + _digits) for _ in range(8)])
|
||||
prefix = '$6$'
|
||||
return _crypt(password, prefix + salt)
|
|
@ -0,0 +1 @@
|
|||
PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain"
|
|
@ -0,0 +1 @@
|
|||
protocols = imap lmtp
|
|
@ -0,0 +1,142 @@
|
|||
##
|
||||
## Authentication processes
|
||||
##
|
||||
|
||||
# Disable LOGIN command and all other plaintext authentications unless
|
||||
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
|
||||
# matches the local IP (ie. you're connecting from the same computer), the
|
||||
# connection is considered secure and plaintext authentication is allowed.
|
||||
# See also ssl=required setting.
|
||||
#disable_plaintext_auth = yes
|
||||
#>GNUNUX
|
||||
disable_plaintext_auth = yes
|
||||
#<GNUNUX
|
||||
|
||||
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
|
||||
# bsdauth and PAM require cache_key to be set for caching to be used.
|
||||
#auth_cache_size = 0
|
||||
# Time to live for cached data. After TTL expires the cached record is no
|
||||
# longer used, *except* if the main database lookup returns internal failure.
|
||||
# We also try to handle password changes automatically: If user's previous
|
||||
# authentication was successful, but this one wasn't, the cache isn't used.
|
||||
# For now this works only with plaintext authentication.
|
||||
#auth_cache_ttl = 1 hour
|
||||
# TTL for negative hits (user not found, password mismatch).
|
||||
# 0 disables caching them completely.
|
||||
#auth_cache_negative_ttl = 1 hour
|
||||
|
||||
# Space separated list of realms for SASL authentication mechanisms that need
|
||||
# them. You can leave it empty if you don't want to support multiple realms.
|
||||
# Many clients simply use the first one listed here, so keep the default realm
|
||||
# first.
|
||||
#auth_realms =
|
||||
|
||||
# Default realm/domain to use if none was specified. This is used for both
|
||||
# SASL realms and appending @domain to username in plaintext logins.
|
||||
#auth_default_realm =
|
||||
|
||||
# List of allowed characters in username. If the user-given username contains
|
||||
# a character not listed in here, the login automatically fails. This is just
|
||||
# an extra check to make sure user can't exploit any potential quote escaping
|
||||
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
|
||||
# set this value to empty.
|
||||
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
||||
|
||||
# Username character translations before it's looked up from databases. The
|
||||
# value contains series of from -> to characters. For example "#@/@" means
|
||||
# that '#' and '/' characters are translated to '@'.
|
||||
#auth_username_translation =
|
||||
|
||||
# Username formatting before it's looked up from databases. You can use
|
||||
# the standard variables here, eg. %Lu would lowercase the username, %n would
|
||||
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
|
||||
# "-AT-". This translation is done after auth_username_translation changes.
|
||||
#auth_username_format = %Lu
|
||||
|
||||
# If you want to allow master users to log in by specifying the master
|
||||
# username within the normal username string (ie. not using SASL mechanism's
|
||||
# support for it), you can specify the separator character here. The format
|
||||
# is then <username><separator><master username>. UW-IMAP uses "*" as the
|
||||
# separator, so that could be a good choice.
|
||||
#auth_master_user_separator =
|
||||
|
||||
# Username to use for users logging in with ANONYMOUS SASL mechanism
|
||||
#auth_anonymous_username = anonymous
|
||||
|
||||
# Maximum number of dovecot-auth worker processes. They're used to execute
|
||||
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
|
||||
# automatically created and destroyed as needed.
|
||||
#auth_worker_max_count = 30
|
||||
|
||||
# Host name to use in GSSAPI principal names. The default is to use the
|
||||
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
|
||||
# entries.
|
||||
#auth_gssapi_hostname =
|
||||
|
||||
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
|
||||
# default (usually /etc/krb5.keytab) if not specified. You may need to change
|
||||
# the auth service to run as root to be able to read this file.
|
||||
#auth_krb5_keytab =
|
||||
|
||||
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
|
||||
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
|
||||
#auth_use_winbind = no
|
||||
|
||||
# Path for Samba's ntlm_auth helper binary.
|
||||
#auth_winbind_helper_path = /usr/bin/ntlm_auth
|
||||
|
||||
# Time to delay before replying to failed authentications.
|
||||
#auth_failure_delay = 2 secs
|
||||
|
||||
# Require a valid SSL client certificate or the authentication fails.
|
||||
#auth_ssl_require_client_cert = no
|
||||
|
||||
# Take the username from client's SSL certificate, using
|
||||
# X509_NAME_get_text_by_NID() which returns the subject's DN's
|
||||
# CommonName.
|
||||
#auth_ssl_username_from_cert = no
|
||||
|
||||
# Space separated list of wanted authentication mechanisms:
|
||||
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
|
||||
# gss-spnego
|
||||
# NOTE: See also disable_plaintext_auth setting.
|
||||
auth_mechanisms = plain
|
||||
#>GNUNUX
|
||||
auth_mechanisms = $auth_mechanisms xoauth2
|
||||
#FIXME oauthbearer?
|
||||
#<GNUNUX
|
||||
|
||||
##
|
||||
## Password and user databases
|
||||
##
|
||||
|
||||
#
|
||||
# Password database is used to verify user's password (and nothing more).
|
||||
# You can have multiple passdbs and userdbs. This is useful if you want to
|
||||
# allow both system users (/etc/passwd) and virtual users to login without
|
||||
# duplicating the system users into virtual database.
|
||||
#
|
||||
# <doc/wiki/PasswordDatabase.txt>
|
||||
#
|
||||
# User database specifies where mails are located and what user/group IDs
|
||||
# own them. For single-UID configuration use "static" userdb.
|
||||
#
|
||||
# <doc/wiki/UserDatabase.txt>
|
||||
|
||||
#!include auth-deny.conf.ext
|
||||
#!include auth-master.conf.ext
|
||||
|
||||
#GNUNUX!include auth-system.conf.ext
|
||||
#!include auth-sql.conf.ext
|
||||
#!include auth-ldap.conf.ext
|
||||
#!include auth-passwdfile.conf.ext
|
||||
#!include auth-checkpassword.conf.ext
|
||||
#!include auth-static.conf.ext
|
||||
#>GNUNUX
|
||||
# Webmail auth (ie. roundcube)
|
||||
!include auth-oauth2.conf.ext
|
||||
# IMAP auth
|
||||
!include auth-ldap.conf.ext
|
||||
# Internal users (ie. roundcube)
|
||||
!include auth-passwdfile.conf.ext
|
||||
#<GNUNUX
|
|
@ -0,0 +1,115 @@
|
|||
##
|
||||
## Log destination.
|
||||
##
|
||||
|
||||
# Log file to use for error messages. "syslog" logs to syslog,
|
||||
# /dev/stderr logs to stderr.
|
||||
#>GNUNUX
|
||||
log_path = syslog
|
||||
#<GNUNUX
|
||||
|
||||
# Log file to use for informational messages. Defaults to log_path.
|
||||
#info_log_path =
|
||||
# Log file to use for debug messages. Defaults to info_log_path.
|
||||
#debug_log_path =
|
||||
|
||||
# Syslog facility to use if you're logging to syslog. Usually if you don't
|
||||
# want to use "mail", you'll use local0..local7. Also other standard
|
||||
# facilities are supported.
|
||||
#>GNUNUX
|
||||
syslog_facility = mail
|
||||
#<GNUNUX
|
||||
|
||||
##
|
||||
## Logging verbosity and debugging.
|
||||
##
|
||||
|
||||
# Log filter is a space-separated list conditions. If any of the conditions
|
||||
# match, the log filter matches (i.e. they're ORed together). Parenthesis
|
||||
# are supported if multiple conditions need to be matched together.
|
||||
#
|
||||
# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.
|
||||
#
|
||||
# For example: event=http_request_* AND category=error AND category=storage
|
||||
#
|
||||
# Filter to specify what debug logging to enable. This will eventually replace
|
||||
# mail_debug and auth_debug settings.
|
||||
#log_debug =
|
||||
|
||||
# Crash after logging a matching event. For example category=error will crash
|
||||
# any time an error is logged, which can be useful for debugging.
|
||||
#log_core_filter =
|
||||
|
||||
# Log unsuccessful authentication attempts and the reasons why they failed.
|
||||
#>GNUNUX
|
||||
auth_verbose = yes
|
||||
#<GNUNUX
|
||||
|
||||
# In case of password mismatches, log the attempted password. Valid values are
|
||||
# no, plain and sha1. sha1 can be useful for detecting brute force password
|
||||
# attempts vs. user simply trying the same password over and over again.
|
||||
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
|
||||
#>GNUNUX
|
||||
auth_verbose_passwords = no
|
||||
#<GNUNUX
|
||||
|
||||
# Even more verbose logging for debugging purposes. Shows for example SQL
|
||||
# queries.
|
||||
#auth_debug = no
|
||||
|
||||
# In case of password mismatches, log the passwords and used scheme so the
|
||||
# problem can be debugged. Enabling this also enables auth_debug.
|
||||
#auth_debug_passwords = no
|
||||
|
||||
# Enable mail process debugging. This can help you figure out why Dovecot
|
||||
# isn't finding your mails.
|
||||
#mail_debug = no
|
||||
|
||||
# Show protocol level SSL errors.
|
||||
#verbose_ssl = no
|
||||
|
||||
# mail_log plugin provides more event logging for mail processes.
|
||||
plugin {
|
||||
# Events to log. Also available: flag_change append
|
||||
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
|
||||
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
|
||||
# size and vsize are available only for expunge and copy events.
|
||||
#>GNUNUX
|
||||
mail_log_fields = uid box msgid size
|
||||
#<GNUNUX
|
||||
}
|
||||
|
||||
##
|
||||
## Log formatting.
|
||||
##
|
||||
|
||||
# Prefix for each line written to log file. % codes are in strftime(3)
|
||||
# format.
|
||||
#log_timestamp = "%b %d %H:%M:%S "
|
||||
|
||||
# Space-separated list of elements we want to log. The elements which have
|
||||
# a non-empty variable value are joined together to form a comma-separated
|
||||
# string.
|
||||
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
|
||||
|
||||
# Login log format. %s contains login_log_format_elements string, %$ contains
|
||||
# the data we want to log.
|
||||
#login_log_format = %$: %s
|
||||
|
||||
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
|
||||
# possible variables you can use.
|
||||
#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
|
||||
|
||||
# Format to use for logging mail deliveries:
|
||||
# %$ - Delivery status message (e.g. "saved to INBOX")
|
||||
# %m / %{msgid} - Message-ID
|
||||
# %s / %{subject} - Subject
|
||||
# %f / %{from} - From address
|
||||
# %p / %{size} - Physical size
|
||||
# %w / %{vsize} - Virtual size
|
||||
# %e / %{from_envelope} - MAIL FROM envelope
|
||||
# %{to_envelope} - RCPT TO envelope
|
||||
# %{delivery_time} - How many milliseconds it took to deliver the mail
|
||||
# %{session_time} - How long LMTP session took, not including delivery_time
|
||||
# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
|
||||
#deliver_log_format = msgid=%m: %$
|
|
@ -0,0 +1,418 @@
|
|||
##
|
||||
## Mailbox locations and namespaces
|
||||
##
|
||||
|
||||
# Location for users' mailboxes. The default is empty, which means that Dovecot
|
||||
# tries to find the mailboxes automatically. This won't work if the user
|
||||
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
|
||||
# location.
|
||||
#
|
||||
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
|
||||
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
|
||||
# kept. This is called the "root mail directory", and it must be the first
|
||||
# path given in the mail_location setting.
|
||||
#
|
||||
# There are a few special variables you can use, eg.:
|
||||
#
|
||||
# %u - username
|
||||
# %n - user part in user@domain, same as %u if there's no domain
|
||||
# %d - domain part in user@domain, empty if there's no domain
|
||||
# %h - home directory
|
||||
#
|
||||
# See doc/wiki/Variables.txt for full list. Some examples:
|
||||
#
|
||||
# mail_location = maildir:~/Maildir
|
||||
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
|
||||
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
|
||||
#
|
||||
# <doc/wiki/MailLocation.txt>
|
||||
#
|
||||
#>GNUNUX
|
||||
mail_location = maildir:/srv/mail/%u
|
||||
#<GNUNUX
|
||||
|
||||
# If you need to set multiple mailbox locations or want to change default
|
||||
# namespace settings, you can do it by defining namespace sections.
|
||||
#
|
||||
# You can have private, shared and public namespaces. Private namespaces
|
||||
# are for user's personal mails. Shared namespaces are for accessing other
|
||||
# users' mailboxes that have been shared. Public namespaces are for shared
|
||||
# mailboxes that are managed by sysadmin. If you create any shared or public
|
||||
# namespaces you'll typically want to enable ACL plugin also, otherwise all
|
||||
# users can access all the shared mailboxes, assuming they have permissions
|
||||
# on filesystem level to do so.
|
||||
namespace inbox {
|
||||
# Namespace type: private, shared or public
|
||||
#type = private
|
||||
|
||||
# Hierarchy separator to use. You should use the same separator for all
|
||||
# namespaces or some clients get confused. '/' is usually a good one.
|
||||
# The default however depends on the underlying mail storage format.
|
||||
#separator =
|
||||
|
||||
# Prefix required to access this namespace. This needs to be different for
|
||||
# all namespaces. For example "Public/".
|
||||
#prefix =
|
||||
|
||||
# Physical location of the mailbox. This is in same format as
|
||||
# mail_location, which is also the default for it.
|
||||
#location =
|
||||
|
||||
# There can be only one INBOX, and this setting defines which namespace
|
||||
# has it.
|
||||
inbox = yes
|
||||
|
||||
# If namespace is hidden, it's not advertised to clients via NAMESPACE
|
||||
# extension. You'll most likely also want to set list=no. This is mostly
|
||||
# useful when converting from another server with different namespaces which
|
||||
# you want to deprecate but still keep working. For example you can create
|
||||
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
|
||||
#hidden = no
|
||||
|
||||
# Show the mailboxes under this namespace with LIST command. This makes the
|
||||
# namespace visible for clients that don't support NAMESPACE extension.
|
||||
# "children" value lists child mailboxes, but hides the namespace prefix.
|
||||
#list = yes
|
||||
|
||||
# Namespace handles its own subscriptions. If set to "no", the parent
|
||||
# namespace handles them (empty prefix should always have this as "yes")
|
||||
#subscriptions = yes
|
||||
|
||||
# See 15-mailboxes.conf for definitions of special mailboxes.
|
||||
}
|
||||
|
||||
# Example shared namespace configuration
|
||||
#namespace {
|
||||
#type = shared
|
||||
#separator = /
|
||||
|
||||
# Mailboxes are visible under "shared/user@domain/"
|
||||
# %%n, %%d and %%u are expanded to the destination user.
|
||||
#prefix = shared/%%u/
|
||||
|
||||
# Mail location for other users' mailboxes. Note that %variables and ~/
|
||||
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
|
||||
# destination user's data.
|
||||
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
|
||||
|
||||
# Use the default namespace for saving subscriptions.
|
||||
#subscriptions = no
|
||||
|
||||
# List the shared/ namespace only if there are visible shared mailboxes.
|
||||
#list = children
|
||||
#}
|
||||
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
|
||||
#mail_shared_explicit_inbox = no
|
||||
|
||||
# System user and group used to access mails. If you use multiple, userdb
|
||||
# can override these by returning uid or gid fields. You can use either numbers
|
||||
# or names. <doc/wiki/UserIds.txt>
|
||||
#mail_uid =
|
||||
#mail_gid =
|
||||
|
||||
# Group to enable temporarily for privileged operations. Currently this is
|
||||
# used only with INBOX when either its initial creation or dotlocking fails.
|
||||
# Typically this is set to "mail" to give access to /var/mail.
|
||||
#mail_privileged_group =
|
||||
|
||||
# Grant access to these supplementary groups for mail processes. Typically
|
||||
# these are used to set up access to shared mailboxes. Note that it may be
|
||||
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
|
||||
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
|
||||
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
|
||||
#mail_access_groups =
|
||||
|
||||
# Allow full filesystem access to clients. There's no access checks other than
|
||||
# what the operating system does for the active UID/GID. It works with both
|
||||
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
|
||||
# or ~user/.
|
||||
#mail_full_filesystem_access = no
|
||||
|
||||
# Dictionary for key=value mailbox attributes. This is used for example by
|
||||
# URLAUTH and METADATA extensions.
|
||||
#mail_attribute_dict =
|
||||
|
||||
# A comment or note that is associated with the server. This value is
|
||||
# accessible for authenticated users through the IMAP METADATA server
|
||||
# entry "/shared/comment".
|
||||
#mail_server_comment = ""
|
||||
|
||||
# Indicates a method for contacting the server administrator. According to
|
||||
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
|
||||
# is currently not enforced. Use for example mailto:admin@example.com. This
|
||||
# value is accessible for authenticated users through the IMAP METADATA server
|
||||
# entry "/shared/admin".
|
||||
#mail_server_admin =
|
||||
|
||||
##
|
||||
## Mail processes
|
||||
##
|
||||
|
||||
# Don't use mmap() at all. This is required if you store indexes to shared
|
||||
# filesystems (NFS or clustered filesystem).
|
||||
#mmap_disable = no
|
||||
|
||||
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
|
||||
# since version 3, so this should be safe to use nowadays by default.
|
||||
#dotlock_use_excl = yes
|
||||
|
||||
# When to use fsync() or fdatasync() calls:
|
||||
# optimized (default): Whenever necessary to avoid losing important data
|
||||
# always: Useful with e.g. NFS when write()s are delayed
|
||||
# never: Never use it (best performance, but crashes can lose data)
|
||||
#mail_fsync = optimized
|
||||
|
||||
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
|
||||
# Dotlocking uses some tricks which may create more disk I/O than other locking
|
||||
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
|
||||
#lock_method = fcntl
|
||||
|
||||
# Directory where mails can be temporarily stored. Usually it's used only for
|
||||
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
|
||||
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
|
||||
# uncompressed mails.
|
||||
#mail_temp_dir = /tmp
|
||||
|
||||
# Valid UID range for users, defaults to 500 and above. This is mostly
|
||||
# to make sure that users can't log in as daemons or other system users.
|
||||
# Note that denying root logins is hardcoded to dovecot binary and can't
|
||||
# be done even if first_valid_uid is set to 0.
|
||||
#first_valid_uid = 500
|
||||
#last_valid_uid = 0
|
||||
|
||||
# Valid GID range for users, defaults to non-root/wheel. Users having
|
||||
# non-valid GID as primary group ID aren't allowed to log in. If user
|
||||
# belongs to supplementary groups with non-valid GIDs, those groups are
|
||||
# not set.
|
||||
#first_valid_gid = 1
|
||||
#last_valid_gid = 0
|
||||
|
||||
# Maximum allowed length for mail keyword name. It's only forced when trying
|
||||
# to create new keywords.
|
||||
#mail_max_keyword_length = 50
|
||||
|
||||
# ':' separated list of directories under which chrooting is allowed for mail
|
||||
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
|
||||
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
|
||||
# settings. If this setting is empty, "/./" in home dirs are ignored.
|
||||
# WARNING: Never add directories here which local users can modify, that
|
||||
# may lead to root exploit. Usually this should be done only if you don't
|
||||
# allow shell access for users. <doc/wiki/Chrooting.txt>
|
||||
#valid_chroot_dirs =
|
||||
|
||||
# Default chroot directory for mail processes. This can be overridden for
|
||||
# specific users in user database by giving /./ in user's home directory
|
||||
# (eg. /home/./user chroots into /home). Note that usually there is no real
|
||||
# need to do chrooting, Dovecot doesn't allow users to access files outside
|
||||
# their mail directory anyway. If your home directories are prefixed with
|
||||
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
|
||||
#mail_chroot =
|
||||
|
||||
# UNIX socket path to master authentication server to find users.
|
||||
# This is used by imap (for shared users) and lda.
|
||||
#auth_socket_path = /var/run/dovecot/auth-userdb
|
||||
|
||||
# Directory where to look up mail plugins.
|
||||
#mail_plugin_dir = /usr/lib/dovecot
|
||||
|
||||
# Space separated list of plugins to load for all services. Plugins specific to
|
||||
# IMAP, LDA, etc. are added to this list in their own .conf files.
|
||||
#mail_plugins =
|
||||
|
||||
##
|
||||
## Mailbox handling optimizations
|
||||
##
|
||||
|
||||
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
|
||||
# also required for IMAP NOTIFY extension to be enabled.
|
||||
#mailbox_list_index = yes
|
||||
|
||||
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
|
||||
# of potentially returning out-of-date results after e.g. server crashes.
|
||||
# The results will be automatically fixed once the folders are opened.
|
||||
#mailbox_list_index_very_dirty_syncs = yes
|
||||
|
||||
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
|
||||
# not, because most of the mailbox accesses will open INBOX anyway.
|
||||
#mailbox_list_index_include_inbox = no
|
||||
|
||||
# The minimum number of mails in a mailbox before updates are done to cache
|
||||
# file. This allows optimizing Dovecot's behavior to do less disk writes at
|
||||
# the cost of more disk reads.
|
||||
#mail_cache_min_mail_count = 0
|
||||
|
||||
# When IDLE command is running, mailbox is checked once in a while to see if
|
||||
# there are any new mails or other changes. This setting defines the minimum
|
||||
# time to wait between those checks. Dovecot can also use inotify and
|
||||
# kqueue to find out immediately when changes occur.
|
||||
#mailbox_idle_check_interval = 30 secs
|
||||
|
||||
# Save mails with CR+LF instead of plain LF. This makes sending those mails
|
||||
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
|
||||
# But it also creates a bit more disk I/O which may just make it slower.
|
||||
# Also note that if other software reads the mboxes/maildirs, they may handle
|
||||
# the extra CRs wrong and cause problems.
|
||||
#mail_save_crlf = no
|
||||
|
||||
# Max number of mails to keep open and prefetch to memory. This only works with
|
||||
# some mailbox formats and/or operating systems.
|
||||
#mail_prefetch_count = 0
|
||||
|
||||
# How often to scan for stale temporary files and delete them (0 = never).
|
||||
# These should exist only after Dovecot dies in the middle of saving mails.
|
||||
#mail_temp_scan_interval = 1w
|
||||
|
||||
# How many slow mail accesses sorting can perform before it returns failure.
|
||||
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
|
||||
# The untagged SORT reply is still returned, but it's likely not correct.
|
||||
#mail_sort_max_read_count = 0
|
||||
|
||||
protocol !indexer-worker {
|
||||
# If folder vsize calculation requires opening more than this many mails from
|
||||
# disk (i.e. mail sizes aren't in cache already), return failure and finish
|
||||
# the calculation via indexer process. Disabled by default. This setting must
|
||||
# be 0 for indexer-worker processes.
|
||||
#mail_vsize_bg_after_count = 0
|
||||
}
|
||||
|
||||
##
|
||||
## Maildir-specific settings
|
||||
##
|
||||
|
||||
# By default LIST command returns all entries in maildir beginning with a dot.
|
||||
# Enabling this option makes Dovecot return only entries which are directories.
|
||||
# This is done by stat()ing each entry, so it causes more disk I/O.
|
||||
# (For systems setting struct dirent->d_type, this check is free and it's
|
||||
# done always regardless of this setting)
|
||||
#maildir_stat_dirs = no
|
||||
|
||||
# When copying a message, do it with hard links whenever possible. This makes
|
||||
# the performance much better, and it's unlikely to have any side effects.
|
||||
#maildir_copy_with_hardlinks = yes
|
||||
|
||||
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
|
||||
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
|
||||
#maildir_very_dirty_syncs = no
|
||||
|
||||
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
|
||||
# getting the mail's physical size, except when recalculating Maildir++ quota.
|
||||
# This can be useful in systems where a lot of the Maildir filenames have a
|
||||
# broken size. The performance hit for enabling this is very small.
|
||||
#maildir_broken_filename_sizes = no
|
||||
|
||||
# Always move mails from new/ directory to cur/, even when the \Recent flags
|
||||
# aren't being reset.
|
||||
#maildir_empty_new = no
|
||||
|
||||
##
|
||||
## mbox-specific settings
|
||||
##
|
||||
|
||||
# Which locking methods to use for locking mbox. There are four available:
|
||||
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
|
||||
# solution. If you want to use /var/mail/ like directory, the users
|
||||
# will need write access to that directory.
|
||||
# dotlock_try: Same as dotlock, but if it fails because of permissions or
|
||||
# because there isn't enough disk space, just skip it.
|
||||
# fcntl : Use this if possible. Works with NFS too if lockd is used.
|
||||
# flock : May not exist in all systems. Doesn't work with NFS.
|
||||
# lockf : May not exist in all systems. Doesn't work with NFS.
|
||||
#
|
||||
# You can use multiple locking methods; if you do the order they're declared
|
||||
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
|
||||
# locking methods as well. Some operating systems don't allow using some of
|
||||
# them simultaneously.
|
||||
#mbox_read_locks = fcntl
|
||||
#mbox_write_locks = dotlock fcntl
|
||||
mbox_write_locks = fcntl
|
||||
|
||||
# Maximum time to wait for lock (all of them) before aborting.
|
||||
#mbox_lock_timeout = 5 mins
|
||||
|
||||
# If dotlock exists but the mailbox isn't modified in any way, override the
|
||||
# lock file after this much time.
|
||||
#mbox_dotlock_change_timeout = 2 mins
|
||||
|
||||
# When mbox changes unexpectedly we have to fully read it to find out what
|
||||
# changed. If the mbox is large this can take a long time. Since the change
|
||||
# is usually just a newly appended mail, it'd be faster to simply read the
|
||||
# new mails. If this setting is enabled, Dovecot does this but still safely
|
||||
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
|
||||
# how it's expected to be. The only real downside to this setting is that if
|
||||
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
|
||||
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
|
||||
# commands.
|
||||
#mbox_dirty_syncs = yes
|
||||
|
||||
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
|
||||
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
|
||||
#mbox_very_dirty_syncs = no
|
||||
|
||||
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
|
||||
# commands and when closing the mailbox). This is especially useful for POP3
|
||||
# where clients often delete all mails. The downside is that our changes
|
||||
# aren't immediately visible to other MUAs.
|
||||
#mbox_lazy_writes = yes
|
||||
|
||||
# If mbox size is smaller than this (e.g. 100k), don't write index files.
|
||||
# If an index file already exists it's still read, just not updated.
|
||||
#mbox_min_index_size = 0
|
||||
|
||||
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
|
||||
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
|
||||
# algorithm, but it fails if the first Received: header isn't unique in all
|
||||
# mails. An alternative algorithm is "all" that selects all headers.
|
||||
#mbox_md5 = apop3d
|
||||
|
||||
##
|
||||
## mdbox-specific settings
|
||||
##
|
||||
|
||||
# Maximum dbox file size until it's rotated.
|
||||
#mdbox_rotate_size = 10M
|
||||
|
||||
# Maximum dbox file age until it's rotated. Typically in days. Day begins
|
||||
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
|
||||
#mdbox_rotate_interval = 0
|
||||
|
||||
# When creating new mdbox files, immediately preallocate their size to
|
||||
# mdbox_rotate_size. This setting currently works only in Linux with some
|
||||
# filesystems (ext4, xfs).
|
||||
#mdbox_preallocate_space = no
|
||||
|
||||
##
|
||||
## Mail attachments
|
||||
##
|
||||
|
||||
# sdbox and mdbox support saving mail attachments to external files, which
|
||||
# also allows single instance storage for them. Other backends don't support
|
||||
# this for now.
|
||||
|
||||
# Directory root where to store mail attachments. Disabled, if empty.
|
||||
#mail_attachment_dir =
|
||||
|
||||
# Attachments smaller than this aren't saved externally. It's also possible to
|
||||
# write a plugin to disable saving specific attachments externally.
|
||||
#mail_attachment_min_size = 128k
|
||||
|
||||
# Filesystem backend to use for saving attachments:
|
||||
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
|
||||
# sis posix : SiS with immediate byte-by-byte comparison during saving
|
||||
# sis-queue posix : SiS with delayed comparison and deduplication
|
||||
#mail_attachment_fs = sis posix
|
||||
|
||||
# Hash format to use in attachment filenames. You can add any text and
|
||||
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
|
||||
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
|
||||
#mail_attachment_hash = %{sha1}
|
||||
|
||||
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
|
||||
# By default, all MIME parts with Content-Disposition=attachment, or inlines
|
||||
# with filename parameter are consired attachments.
|
||||
# add-flags - Add the keywords when saving new mails or when fetching can
|
||||
# do it efficiently.
|
||||
# content-type=type or !type - Include/exclude content type. Excluding will
|
||||
# never consider the matched MIME part as attachment. Including will only
|
||||
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
|
||||
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
|
||||
#mail_attachment_detection_options =
|
|
@ -0,0 +1,156 @@
|
|||
#default_process_limit = 100
|
||||
#default_client_limit = 1000
|
||||
|
||||
# Default VSZ (virtual memory size) limit for service processes. This is mainly
|
||||
# intended to catch and kill processes that leak memory before they eat up
|
||||
# everything.
|
||||
#default_vsz_limit = 256M
|
||||
|
||||
# Login user is internally used by login processes. This is the most untrusted
|
||||
# user in Dovecot system. It shouldn't have access to anything at all.
|
||||
#default_login_user = dovenull
|
||||
|
||||
# Internal user is used by unprivileged processes. It should be separate from
|
||||
# login user, so that login processes can't disturb other processes.
|
||||
#default_internal_user = dovecot
|
||||
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
#port = 143
|
||||
#>GNUNUX
|
||||
port = 0
|
||||
#<GNUNUX
|
||||
}
|
||||
inet_listener imaps {
|
||||
#port = 993
|
||||
#ssl = yes
|
||||
}
|
||||
|
||||
# Number of connections to handle before starting a new process. Typically
|
||||
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
|
||||
# is faster. <doc/wiki/LoginProcess.txt>
|
||||
#service_count = 1
|
||||
|
||||
# Number of processes to always keep waiting for more connections.
|
||||
#process_min_avail = 0
|
||||
|
||||
# If you set service_count=0, you probably need to grow this.
|
||||
#vsz_limit = $default_vsz_limit
|
||||
}
|
||||
|
||||
service pop3-login {
|
||||
inet_listener pop3 {
|
||||
#port = 110
|
||||
#>GNUNUX
|
||||
port = 0
|
||||
#<GNUNUX
|
||||
}
|
||||
inet_listener pop3s {
|
||||
#>GNUNUX
|
||||
port = 0
|
||||
#<GNUNUX
|
||||
#port = 995
|
||||
#ssl = yes
|
||||
}
|
||||
}
|
||||
|
||||
service submission-login {
|
||||
inet_listener submission {
|
||||
#port = 587
|
||||
}
|
||||
}
|
||||
|
||||
service lmtp {
|
||||
unix_listener lmtp {
|
||||
#mode = 0666
|
||||
}
|
||||
|
||||
# Create inet listener only if you can't use the above UNIX socket
|
||||
#inet_listener lmtp {
|
||||
# Avoid making LMTP visible for the entire internet
|
||||
#address =
|
||||
#port =
|
||||
#}
|
||||
#>GNUNUX
|
||||
inet_listener lmtp {
|
||||
address = %%ip_eth0
|
||||
port = 8024
|
||||
}
|
||||
#<GNUNUX
|
||||
}
|
||||
|
||||
service imap {
|
||||
# Most of the memory goes to mmap()ing files. You may need to increase this
|
||||
# limit if you have huge mailboxes.
|
||||
#vsz_limit = $default_vsz_limit
|
||||
|
||||
# Max. number of IMAP processes (connections)
|
||||
#process_limit = 1024
|
||||
}
|
||||
|
||||
service pop3 {
|
||||
# Max. number of POP3 processes (connections)
|
||||
#process_limit = 1024
|
||||
}
|
||||
|
||||
service submission {
|
||||
# Max. number of SMTP Submission processes (connections)
|
||||
#process_limit = 1024
|
||||
}
|
||||
|
||||
service auth {
|
||||
# auth_socket_path points to this userdb socket by default. It's typically
|
||||
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
|
||||
# full permissions to this socket are able to get a list of all usernames and
|
||||
# get the results of everyone's userdb lookups.
|
||||
#
|
||||
# The default 0666 mode allows anyone to connect to the socket, but the
|
||||
# userdb lookups will succeed only if the userdb returns an "uid" field that
|
||||
# matches the caller process's UID. Also if caller's uid or gid matches the
|
||||
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
|
||||
#
|
||||
# To give the caller full permissions to lookup all users, set the mode to
|
||||
# something else than 0666 and Dovecot lets the kernel enforce the
|
||||
# permissions (e.g. 0777 allows everyone full permissions).
|
||||
unix_listener auth-userdb {
|
||||
#mode = 0666
|
||||
#user =
|
||||
#group =
|
||||
#>GNUNUX
|
||||
mode = 0666
|
||||
user = vmail
|
||||
#<GNUNUX
|
||||
}
|
||||
|
||||
# Postfix smtp-auth
|
||||
#unix_listener /var/spool/postfix/private/auth {
|
||||
# mode = 0666
|
||||
#}
|
||||
#>GNUNUX
|
||||
unix_listener /srv/dovecot/auth {
|
||||
mode = 0666
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
#<GNUNUX
|
||||
|
||||
# Auth process is run as this user.
|
||||
#user = $default_internal_user
|
||||
}
|
||||
|
||||
service auth-worker {
|
||||
# Auth worker process is run as root by default, so that it can access
|
||||
# /etc/shadow. If this isn't necessary, the user should be changed to
|
||||
# $default_internal_user.
|
||||
#user = root
|
||||
}
|
||||
|
||||
service dict {
|
||||
# If dict proxy is used, mail processes should have access to its socket.
|
||||
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
|
||||
unix_listener dict {
|
||||
#mode = 0600
|
||||
#user =
|
||||
#group =
|
||||
}
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
##
|
||||
## SSL settings
|
||||
##
|
||||
|
||||
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
|
||||
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
|
||||
# plain imap and pop3 are still allowed for local connections
|
||||
ssl = required
|
||||
|
||||
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
|
||||
# dropping root privileges, so keep the key file unreadable by anyone but
|
||||
# root. Included doc/mkcert.sh can be used to easily generate self-signed
|
||||
# certificate, just make sure to update the domains in dovecot-openssl.cnf
|
||||
#GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
|
||||
#GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
|
||||
#>GNUNUX
|
||||
ssl_cert = </etc/pki/tls/certs/dovecot.crt
|
||||
ssl_key = </etc/pki/tls/private/dovecot.key
|
||||
#<GNUNUX
|
||||
|
||||
# If key file is password protected, give the password here. Alternatively
|
||||
# give it when starting dovecot with -p parameter. Since this file is often
|
||||
# world-readable, you may want to place this setting instead to a different
|
||||
# root owned 0600 file by using ssl_key_password = <path.
|
||||
#ssl_key_password =
|
||||
|
||||
# PEM encoded trusted certificate authority. Set this only if you intend to use
|
||||
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
|
||||
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
|
||||
#ssl_ca =
|
||||
|
||||
# Require that CRL check succeeds for client certificates.
|
||||
#ssl_require_crl = yes
|
||||
|
||||
# Directory and/or file for trusted SSL CA certificates. These are used only
|
||||
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
|
||||
# submission service). The directory is usually /etc/pki/dovecot/certs in
|
||||
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
|
||||
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
|
||||
# large CA bundles, because it leads to excessive memory usage.
|
||||
#ssl_client_ca_dir =
|
||||
#ssl_client_ca_file =
|
||||
ssl_client_ca_file = /etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt
|
||||
|
||||
# Require valid cert when connecting to a remote server
|
||||
#ssl_client_require_valid_cert = yes
|
||||
|
||||
# Request client to send a certificate. If you also want to require it, set
|
||||
# auth_ssl_require_client_cert=yes in auth section.
|
||||
#ssl_verify_client_cert = no
|
||||
|
||||
# Which field from certificate to use for username. commonName and
|
||||
# x500UniqueIdentifier are the usual choices. You'll also need to set
|
||||
# auth_ssl_username_from_cert=yes.
|
||||
#ssl_cert_username_field = commonName
|
||||
|
||||
# SSL DH parameters
|
||||
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
|
||||
# Or migrate from old ssl-parameters.dat file with the command dovecot
|
||||
# gives on startup when ssl_dh is unset.
|
||||
#ssl_dh = </etc/dovecot/dh.pem
|
||||
|
||||
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
|
||||
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
|
||||
#
|
||||
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
|
||||
# version, and LATEST matches with the latest version supported by library.
|
||||
#ssl_min_protocol = TLSv1.2
|
||||
|
||||
# SSL ciphers to use, the default is:
|
||||
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
# To disable non-EC DH, use:
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
ssl_cipher_list = PROFILE=SYSTEM
|
||||
|
||||
# Colon separated list of elliptic curves to use. Empty value (the default)
|
||||
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
|
||||
# example of a valid value.
|
||||
#ssl_curve_list =
|
||||
|
||||
# Prefer the server's order of ciphers over client's.
|
||||
#ssl_prefer_server_ciphers = no
|
||||
|
||||
# SSL crypto device to use, for valid values run "openssl engine"
|
||||
#ssl_crypto_device =
|
||||
|
||||
# SSL extra options. Currently supported options are:
|
||||
# compression - Enable compression.
|
||||
# no_ticket - Disable SSL session tickets.
|
||||
#ssl_options =
|
|
@ -0,0 +1,23 @@
|
|||
# Uncomment to enable managesieve protocol:
|
||||
protocols = $protocols sieve
|
||||
|
||||
service managesieve-login {
|
||||
inet_listener sieve {
|
||||
port = 4190
|
||||
}
|
||||
|
||||
#inet_listener sieve_deprecated {
|
||||
# port = 2000
|
||||
#}
|
||||
|
||||
# Number of connections to handle before starting a new process. Typically
|
||||
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
|
||||
# is faster. <doc/wiki/LoginProcess.txt>
|
||||
service_count = 1
|
||||
|
||||
# Number of processes to always keep waiting for more connections.
|
||||
process_min_avail = 0
|
||||
|
||||
# If you set service_count=0, you probably need to grow this.
|
||||
vsz_limit = 64M
|
||||
}
|
|
@ -0,0 +1,51 @@
|
|||
##
|
||||
## LDA specific settings (also used by LMTP)
|
||||
##
|
||||
|
||||
# Address to use when sending rejection mails.
|
||||
# Default is postmaster@%d. %d expands to recipient domain.
|
||||
#postmaster_address =
|
||||
|
||||
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
|
||||
# in LMTP replies. Default is the system's real hostname@domain.
|
||||
#hostname =
|
||||
|
||||
# If user is over quota, return with temporary failure instead of
|
||||
# bouncing the mail.
|
||||
#quota_full_tempfail = no
|
||||
|
||||
# Binary to use for sending mails.
|
||||
#sendmail_path = /usr/sbin/sendmail
|
||||
|
||||
# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
|
||||
#submission_host =
|
||||
|
||||
# Subject: header to use for rejection mails. You can use the same variables
|
||||
# as for rejection_reason below.
|
||||
#rejection_subject = Rejected: %s
|
||||
|
||||
# Human readable error message for rejection mails. You can use variables:
|
||||
# %n = CRLF, %r = reason, %s = original subject, %t = recipient
|
||||
#rejection_reason = Your message to <%t> was automatically rejected:%n%r
|
||||
|
||||
# Delimiter character between local-part and detail in email address.
|
||||
#recipient_delimiter = +
|
||||
|
||||
# Header where the original recipient address (SMTP's RCPT TO: address) is taken
|
||||
# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
|
||||
# A commonly used header for this is X-Original-To.
|
||||
#lda_original_recipient_header =
|
||||
|
||||
# Should saving a mail to a nonexistent mailbox automatically create it?
|
||||
#lda_mailbox_autocreate = no
|
||||
|
||||
# Should automatically created mailboxes be also automatically subscribed?
|
||||
#lda_mailbox_autosubscribe = no
|
||||
|
||||
# GNUNUX protocol lda {
|
||||
# GNUNUX # Space separated list of plugins to load (default is global mail_plugins).
|
||||
# GNUNUX #mail_plugins = $mail_plugins
|
||||
# GNUNUX #>GNUNUX
|
||||
# GNUNUX mail_plugins = sieve
|
||||
# GNUNUX #<GNUNUX
|
||||
# GNUNUX }
|
|
@ -0,0 +1,12 @@
|
|||
service stats {
|
||||
unix_listener stats-reader {
|
||||
user = vmail
|
||||
group = vmail
|
||||
mode = 0660
|
||||
}
|
||||
unix_listener stats-writer {
|
||||
user = vmail
|
||||
group = vmail
|
||||
mode = 0660
|
||||
}
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
# Authentication for LDAP users. Included from 10-auth.conf.
|
||||
#
|
||||
# <doc/wiki/AuthDatabase.LDAP.txt>
|
||||
|
||||
passdb {
|
||||
driver = ldap
|
||||
|
||||
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
|
||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
}
|
||||
|
||||
# "prefetch" user database means that the passdb already provided the
|
||||
# needed information and there's no need to do a separate userdb lookup.
|
||||
# <doc/wiki/UserDatabase.Prefetch.txt>
|
||||
#userdb {
|
||||
# driver = prefetch
|
||||
#}
|
||||
|
||||
# GNUNUX userdb {
|
||||
# GNUNUX driver = ldap
|
||||
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
# GNUNUX
|
||||
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
|
||||
# GNUNUX #default_fields = home=/home/virtual/%u
|
||||
# GNUNUX }
|
||||
|
||||
# If you don't have any user-specific settings, you can avoid the userdb LDAP
|
||||
# lookup by using userdb static instead of userdb ldap, for example:
|
||||
# <doc/wiki/UserDatabase.Static.txt>
|
||||
#userdb {
|
||||
#driver = static
|
||||
#args = uid=vmail gid=vmail home=/var/vmail/%u
|
||||
#}
|
||||
#>GNUNUX
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/srv/mail/%u
|
||||
}
|
||||
#<GNUNUX
|
|
@ -0,0 +1,6 @@
|
|||
# GNUNUX see /usr/share/doc/dovecot/wiki/PasswordDatabase.oauth2.txt
|
||||
passdb {
|
||||
driver = oauth2
|
||||
mechanisms = xoauth2 #FIXME oauthbearer
|
||||
args = /etc/dovecot/dovecot-oauth2.conf.ext
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
# Authentication for passwd-file users. Included from 10-auth.conf.
|
||||
#
|
||||
# passwd-like file with specified location.
|
||||
# <doc/wiki/AuthDatabase.PasswdFile.txt>
|
||||
|
||||
passdb {
|
||||
driver = passwd-file
|
||||
# GNUNUX args = scheme=CRYPT username_format=%u /etc/dovecot/users
|
||||
args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/risotto_users
|
||||
}
|
||||
|
||||
# GNUNUX userdb {
|
||||
# GNUNUX driver = passwd-file
|
||||
# GNUNUX args = username_format=%u /etc/dovecot/users
|
||||
# GNUNUX
|
||||
# GNUNUX # Default fields that can be overridden by passwd-file
|
||||
# GNUNUX #default_fields = quota_rule=*:storage=1G
|
||||
# GNUNUX
|
||||
# GNUNUX # Override fields from passwd-file
|
||||
# GNUNUX #override_fields = home=/home/virtual/%u
|
||||
# GNUNUX }
|
|
@ -0,0 +1 @@
|
|||
%%dovecot_ca_chain
|
|
@ -0,0 +1 @@
|
|||
%%postfix_ca_chain
|
|
@ -0,0 +1 @@
|
|||
%%get_chain(%%revprox_server_domainname, authority_name='ReverseProxy')
|
|
@ -0,0 +1,6 @@
|
|||
[Unit]
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/bin/true
|
|
@ -0,0 +1,181 @@
|
|||
# SEE /usr/share/doc/dovecot/example-config/dovecot-ldap.conf.ext
|
||||
# This file is commonly accessed via passdb {} or userdb {} section in
|
||||
# conf.d/auth-ldap.conf.ext
|
||||
|
||||
# This file is opened as root, so it should be owned by root and mode 0600.
|
||||
#
|
||||
# http://wiki2.dovecot.org/AuthDatabase/LDAP
|
||||
#
|
||||
# NOTE: If you're not using authentication binds, you'll need to give
|
||||
# dovecot-auth read access to userPassword field in the LDAP server.
|
||||
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
|
||||
# already be something like this:
|
||||
|
||||
# access to attribute=userPassword
|
||||
# by dn="<dovecot's dn>" read # add this
|
||||
# by anonymous auth
|
||||
# by self write
|
||||
# by * none
|
||||
|
||||
# Space separated list of LDAP hosts to use. host:port is allowed too.
|
||||
#hosts =
|
||||
|
||||
# LDAP URIs to use. You can use this instead of hosts list. Note that this
|
||||
# setting isn't supported by all LDAP libraries.
|
||||
#uris =
|
||||
#>GNUNUX
|
||||
uris = ldaps://%%ldap_server_address
|
||||
#<GNUNUX
|
||||
|
||||
# Distinguished Name - the username used to login to the LDAP server.
|
||||
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
|
||||
#dn =
|
||||
|
||||
# Password for LDAP server, if dn is specified.
|
||||
#dnpass =
|
||||
#>GNUNUX
|
||||
dn = %%ldapclient_remote_user
|
||||
dnpass = %%ldapclient_remote_user_password
|
||||
#<GNUNUX
|
||||
|
||||
# Use SASL binding instead of the simple binding. Note that this changes
|
||||
# ldap_version automatically to be 3 if it's lower.
|
||||
#sasl_bind = no
|
||||
# SASL mechanism name to use.
|
||||
#sasl_mech =
|
||||
# SASL realm to use.
|
||||
#sasl_realm =
|
||||
# SASL authorization ID, ie. the dnpass is for this "master user", but the
|
||||
# dn is still the logged in user. Normally you want to keep this empty.
|
||||
#sasl_authz_id =
|
||||
|
||||
# Use TLS to connect to the LDAP server.
|
||||
#tls = no
|
||||
# TLS options, currently supported only with OpenLDAP:
|
||||
#tls_ca_cert_file =
|
||||
#tls_ca_cert_dir =
|
||||
#tls_cipher_suite =
|
||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||
#tls_cert_file =
|
||||
#tls_key_file =
|
||||
# Valid values: never, hard, demand, allow, try
|
||||
#tls_require_cert =
|
||||
#>GNUNUX
|
||||
tls_cert_file = %%ldap_cert_file
|
||||
tls_key_file = %%ldap_key_file
|
||||
tls_ca_cert_file = %%ldap_ca_file
|
||||
tls_require_cert = hard
|
||||
#>GNUNUX
|
||||
|
||||
# Use the given ldaprc path.
|
||||
#ldaprc_path =
|
||||
|
||||
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
|
||||
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
|
||||
# to get enough output.
|
||||
#debug_level = 0
|
||||
|
||||
# Use authentication binding for verifying password's validity. This works by
|
||||
# logging into LDAP server using the username and password given by client.
|
||||
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
|
||||
# is still used, only the password field is ignored in it. Before doing any
|
||||
# search, the binding is switched back to the default DN.
|
||||
#auth_bind = no
|
||||
|
||||
# If authentication binding is used, you can save one LDAP request per login
|
||||
# if users' DN can be specified with a common template. The template can use
|
||||
# the standard %variables (see user_filter). Note that you can't
|
||||
# use any pass_attrs if you use this setting.
|
||||
#
|
||||
# If you use this setting, it's a good idea to use a different
|
||||
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
|
||||
# the filename is different in userdb's args). That way one connection is used
|
||||
# only for LDAP binds and another connection is used for user lookups.
|
||||
# Otherwise the binding is changed to the default DN before each user lookup.
|
||||
#
|
||||
# For example:
|
||||
# auth_bind_userdn = cn=%u,ou=people,o=org
|
||||
#
|
||||
#auth_bind_userdn =
|
||||
#>GNUNUX
|
||||
auth_bind = yes
|
||||
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
|
||||
#<GNUNUX
|
||||
|
||||
# LDAP protocol version to use. Likely 2 or 3.
|
||||
#ldap_version = 3
|
||||
|
||||
# LDAP base. %variables can be used here.
|
||||
# For example: dc=mail, dc=example, dc=org
|
||||
# GNUNUX base =
|
||||
base = ou=users,%%ldap_base_dn
|
||||
|
||||
# Dereference: never, searching, finding, always
|
||||
#deref = never
|
||||
|
||||
# Search scope: base, onelevel, subtree
|
||||
#scope = subtree
|
||||
|
||||
# User attributes are given in LDAP-name=dovecot-internal-name list. The
|
||||
# internal names are:
|
||||
# uid - System UID
|
||||
# gid - System GID
|
||||
# home - Home directory
|
||||
# mail - Mail location
|
||||
#
|
||||
# There are also other special fields which can be returned, see
|
||||
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||
|
||||
# Filter for user lookup. Some variables can be used (see
|
||||
# http://wiki2.dovecot.org/Variables for full list):
|
||||
# %u - username
|
||||
# %n - user part in user@domain, same as %u if there's no domain
|
||||
# %d - domain part in user@domain, empty if user there's no domain
|
||||
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||
#>GNUNUX
|
||||
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
|
||||
#<GNUNUX
|
||||
|
||||
# Password checking attributes:
|
||||
# user: Virtual user name (user@domain), if you wish to change the
|
||||
# user-given username to something else
|
||||
# password: Password, may optionally start with {type}, eg. {crypt}
|
||||
# There are also other special fields which can be returned, see
|
||||
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
||||
#pass_attrs = uid=user,userPassword=password
|
||||
|
||||
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
||||
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
||||
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
|
||||
# string. For example:
|
||||
#pass_attrs = uid=user,userPassword=password,\
|
||||
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
|
||||
|
||||
# Filter for password lookups
|
||||
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||
#>GNUNUX
|
||||
pass_attrs = cn=user
|
||||
pass_filter = (&(objectClass=inetOrgPerson)(cn=%u))
|
||||
#<GNUNUX
|
||||
|
||||
# Attributes and filter to get a list of all users
|
||||
#iterate_attrs = uid=user
|
||||
#iterate_filter = (objectClass=posixAccount)
|
||||
#>GNUNUX
|
||||
iterate_attrs = cn=user
|
||||
iterate_filter = (&(objectClass=inetOrgPerson)(cn=%u))
|
||||
#<GNUNUX
|
||||
|
||||
# Default password scheme. "{scheme}" before password overrides this.
|
||||
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
|
||||
#default_pass_scheme = CRYPT
|
||||
|
||||
# By default all LDAP lookups are performed by the auth master process.
|
||||
# If blocking=yes, auth worker processes are used to perform the lookups.
|
||||
# Each auth worker process creates its own LDAP connection so this can
|
||||
# increase parallelism. With blocking=no the auth master process can
|
||||
# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
|
||||
# each connection has a maximum of 1 request running. For small systems the
|
||||
# blocking=no is sufficient and uses less resources.
|
||||
#blocking = no
|
|
@ -0,0 +1,92 @@
|
|||
# GNUNUX from : /usr/share/doc/dovecot/example-config/dovecot-oauth2.conf.ext
|
||||
### OAuth2 password database configuration
|
||||
|
||||
## url for verifying token validity. Token is appended to the URL
|
||||
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
|
||||
#>GNUNUX
|
||||
tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
|
||||
#<GNUNUX
|
||||
|
||||
## introspection endpoint, used to gather extra fields and other information.
|
||||
# introspection_url = http://endpoint/oauth/me
|
||||
|
||||
## How introspection is made, valid values are
|
||||
## auth = GET request with Bearer authentication
|
||||
## get = GET request with token appended to URL
|
||||
## post = POST request with token=bearer_token as content
|
||||
## local = perform local validation only
|
||||
# introspection_mode = auth
|
||||
|
||||
## Force introspection even if tokeninfo contains wanted fields
|
||||
## Set this to yes if you are using active_attribute
|
||||
# force_introspection = no
|
||||
#>GNUNUX
|
||||
introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
|
||||
introspection_mode = post
|
||||
force_introspection = no
|
||||
#<GNUNUX
|
||||
|
||||
## Validation key dictionary (e.g. fs:posix:prefix=/etc/dovecot/keys/)
|
||||
## Lookup key is /shared/<azp:default>/<alg>/<kid:default>
|
||||
# local_validation_key_dict =
|
||||
|
||||
## A single wanted scope of validity (optional)
|
||||
# scope = something
|
||||
#>GNUNUX
|
||||
#scope = openid,profile,email
|
||||
#<GNUNUX
|
||||
|
||||
## username attribute in response (default: email)
|
||||
# username_attribute = email
|
||||
#>GNUNUX
|
||||
username_attribute = email
|
||||
#<GNUNUX
|
||||
|
||||
## username normalization format (default: %Lu)
|
||||
# username_format = %Lu
|
||||
|
||||
## Attribute name for checking whether account is disabled (optional)
|
||||
# active_attribute =
|
||||
|
||||
## Expected value in active_attribute (empty = require present, but anything goes)
|
||||
# active_value =
|
||||
|
||||
## Expected issuer(s) for the token (space separated list)
|
||||
# issuers =
|
||||
|
||||
## URL to RFC 7628 OpenID Provider Configuration Information schema
|
||||
# openid_configuration_url =
|
||||
#>GNUNUX
|
||||
openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
|
||||
#<GNUNUX
|
||||
|
||||
## Extra fields to set in passdb response (in passdb static style)
|
||||
# pass_attrs =
|
||||
|
||||
## Timeout in milliseconds
|
||||
# timeout_msecs = 0
|
||||
|
||||
## Enable debug logging
|
||||
# debug = no
|
||||
|
||||
## Max parallel connections (how many simultaneous connections to open)
|
||||
# max_parallel_connections = 10
|
||||
|
||||
## Max pipelined requests (how many requests to send per connection, requires server-side support)
|
||||
# max_pipelined_requests = 1
|
||||
|
||||
## HTTP request raw log directory
|
||||
# rawlog_dir = /tmp/oauth2
|
||||
|
||||
#>GNUNUX
|
||||
client_id = %%oauth2_client_id
|
||||
client_secret = %%oauth2_client_secret
|
||||
#<GNUNUX
|
||||
|
||||
## TLS settings
|
||||
# tls_ca_cert_file = /path/to/ca-certificates.txt
|
||||
# tls_ca_cert_dir = /path/to/certs/
|
||||
# tls_cert_file = /path/to/client/cert
|
||||
# tls_key_file = /path/to/client/key
|
||||
# tls_cipher_suite = HIGH:!SSLv2
|
||||
# tls_allow_invalid_cert = FALSE
|
|
@ -0,0 +1,5 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)
|
|
@ -0,0 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'IMAPServer')
|
|
@ -0,0 +1,13 @@
|
|||
server_host = ldaps://%%ldap_server_address
|
||||
server_port = %%ldap_port
|
||||
tls_cert = %%ldap_cert_file
|
||||
tls_key = %%ldap_key_file
|
||||
tls_ca_cert_file = %%ldap_ca_file
|
||||
tls_require_cert = yes
|
||||
version = 3
|
||||
bind = yes
|
||||
bind_dn = %%ldapclient_remote_user
|
||||
bind_pw = %%ldapclient_remote_user_password
|
||||
search_base = ou=users,%%ldap_base_dn
|
||||
query_filter = (mail=%s)
|
||||
result_attribute = cn
|
808
seed/applicationservice/2022.03.08/dovecot/templates/main.cf
Normal file
808
seed/applicationservice/2022.03.08/dovecot/templates/main.cf
Normal file
|
@ -0,0 +1,808 @@
|
|||
# Global Postfix configuration file. This file lists only a subset
|
||||
# of all parameters. For the syntax, and for a complete parameter
|
||||
# list, see the postconf(5) manual page (command: "man 5 postconf").
|
||||
#
|
||||
# For common configuration examples, see BASIC_CONFIGURATION_README
|
||||
# and STANDARD_CONFIGURATION_README. To find these documents, use
|
||||
# the command "postconf html_directory readme_directory", or go to
|
||||
# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
|
||||
#
|
||||
# For best results, change no more than 2-3 parameters at a time,
|
||||
# and test if Postfix still works after every change.
|
||||
|
||||
# COMPATIBILITY
|
||||
#
|
||||
# The compatibility_level determines what default settings Postfix
|
||||
# will use for main.cf and master.cf settings. These defaults will
|
||||
# change over time.
|
||||
#
|
||||
# To avoid breaking things, Postfix will use backwards-compatible
|
||||
# default settings and log where it uses those old backwards-compatible
|
||||
# default settings, until the system administrator has determined
|
||||
# if any backwards-compatible default settings need to be made
|
||||
# permanent in main.cf or master.cf.
|
||||
#
|
||||
# When this review is complete, update the compatibility_level setting
|
||||
# below as recommended in the RELEASE_NOTES file.
|
||||
#
|
||||
# The level below is what should be used with new (not upgrade) installs.
|
||||
#
|
||||
compatibility_level = 3.6
|
||||
|
||||
# SOFT BOUNCE
|
||||
#
|
||||
# The soft_bounce parameter provides a limited safety net for
|
||||
# testing. When soft_bounce is enabled, mail will remain queued that
|
||||
# would otherwise bounce. This parameter disables locally-generated
|
||||
# bounces, and prevents the SMTP server from rejecting mail permanently
|
||||
# (by changing 5xx replies into 4xx replies). However, soft_bounce
|
||||
# is no cure for address rewriting mistakes or mail routing mistakes.
|
||||
#
|
||||
#soft_bounce = no
|
||||
|
||||
# LOCAL PATHNAME INFORMATION
|
||||
#
|
||||
# The queue_directory specifies the location of the Postfix queue.
|
||||
# This is also the root directory of Postfix daemons that run chrooted.
|
||||
# See the files in examples/chroot-setup for setting up Postfix chroot
|
||||
# environments on different UNIX systems.
|
||||
#
|
||||
# GNUNUX queue_directory = /var/spool/postfix
|
||||
queue_directory = /srv/postfix/spool
|
||||
|
||||
# The command_directory parameter specifies the location of all
|
||||
# postXXX commands.
|
||||
#
|
||||
command_directory = /usr/sbin
|
||||
|
||||
# The daemon_directory parameter specifies the location of all Postfix
|
||||
# daemon programs (i.e. programs listed in the master.cf file). This
|
||||
# directory must be owned by root.
|
||||
#
|
||||
daemon_directory = /usr/libexec/postfix
|
||||
|
||||
# The data_directory parameter specifies the location of Postfix-writable
|
||||
# data files (caches, random numbers). This directory must be owned
|
||||
# by the mail_owner account (see below).
|
||||
#
|
||||
# GNUNUX data_directory = /var/lib/postfix
|
||||
data_directory = /srv/postfix/data
|
||||
|
||||
# QUEUE AND PROCESS OWNERSHIP
|
||||
#
|
||||
# The mail_owner parameter specifies the owner of the Postfix queue
|
||||
# and of most Postfix daemon processes. Specify the name of a user
|
||||
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
|
||||
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
|
||||
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
|
||||
# USER.
|
||||
#
|
||||
mail_owner = postfix
|
||||
|
||||
# The default_privs parameter specifies the default rights used by
|
||||
# the local delivery agent for delivery to external file or command.
|
||||
# These rights are used in the absence of a recipient user context.
|
||||
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
|
||||
#
|
||||
#default_privs = nobody
|
||||
|
||||
# INTERNET HOST AND DOMAIN NAMES
|
||||
#
|
||||
# The myhostname parameter specifies the internet hostname of this
|
||||
# mail system. The default is to use the fully-qualified domain name
|
||||
# from gethostname(). $myhostname is used as a default value for many
|
||||
# other configuration parameters.
|
||||
#
|
||||
#myhostname = host.domain.tld
|
||||
#myhostname = virtual.domain.tld
|
||||
myhostname = %%domain_name_eth0
|
||||
|
||||
# The mydomain parameter specifies the local internet domain name.
|
||||
# The default is to use $myhostname minus the first component.
|
||||
# $mydomain is used as a default value for many other configuration
|
||||
# parameters.
|
||||
#
|
||||
#mydomain = domain.tld
|
||||
|
||||
# SENDING MAIL
|
||||
#
|
||||
# The myorigin parameter specifies the domain that locally-posted
|
||||
# mail appears to come from. The default is to append $myhostname,
|
||||
# which is fine for small sites. If you run a domain with multiple
|
||||
# machines, you should (1) change this to $mydomain and (2) set up
|
||||
# a domain-wide alias database that aliases each user to
|
||||
# user@that.users.mailhost.
|
||||
#
|
||||
# For the sake of consistency between sender and recipient addresses,
|
||||
# myorigin also specifies the default domain name that is appended
|
||||
# to recipient addresses that have no @domain part.
|
||||
#
|
||||
#myorigin = $myhostname
|
||||
#myorigin = $mydomain
|
||||
myorigin = %%domain_name_eth0
|
||||
|
||||
# RECEIVING MAIL
|
||||
|
||||
# The inet_interfaces parameter specifies the network interface
|
||||
# addresses that this mail system receives mail on. By default,
|
||||
# the software claims all active interfaces on the machine. The
|
||||
# parameter also controls delivery of mail to user@[ip.address].
|
||||
#
|
||||
# See also the proxy_interfaces parameter, for network addresses that
|
||||
# are forwarded to us via a proxy or network address translator.
|
||||
#
|
||||
# Note: you need to stop/start Postfix when this parameter changes.
|
||||
#
|
||||
#inet_interfaces = all
|
||||
#inet_interfaces = $myhostname
|
||||
#inet_interfaces = $myhostname, localhost
|
||||
# GNUNUX inet_interfaces = localhost
|
||||
inet_interfaces = all
|
||||
|
||||
# Enable IPv4, and IPv6 if supported
|
||||
inet_protocols = all
|
||||
|
||||
# The proxy_interfaces parameter specifies the network interface
|
||||
# addresses that this mail system receives mail on by way of a
|
||||
# proxy or network address translation unit. This setting extends
|
||||
# the address list specified with the inet_interfaces parameter.
|
||||
#
|
||||
# You must specify your proxy/NAT addresses when your system is a
|
||||
# backup MX host for other domains, otherwise mail delivery loops
|
||||
# will happen when the primary MX host is down.
|
||||
#
|
||||
#proxy_interfaces =
|
||||
#proxy_interfaces = 1.2.3.4
|
||||
|
||||
# The mydestination parameter specifies the list of domains that this
|
||||
# machine considers itself the final destination for.
|
||||
#
|
||||
# These domains are routed to the delivery agent specified with the
|
||||
# local_transport parameter setting. By default, that is the UNIX
|
||||
# compatible delivery agent that lookups all recipients in /etc/passwd
|
||||
# and /etc/aliases or their equivalent.
|
||||
#
|
||||
# The default is $myhostname + localhost.$mydomain + localhost. On
|
||||
# a mail domain gateway, you should also include $mydomain.
|
||||
#
|
||||
# Do not specify the names of virtual domains - those domains are
|
||||
# specified elsewhere (see VIRTUAL_README).
|
||||
#
|
||||
# Do not specify the names of domains that this machine is backup MX
|
||||
# host for. Specify those names via the relay_domains settings for
|
||||
# the SMTP server, or use permit_mx_backup if you are lazy (see
|
||||
# STANDARD_CONFIGURATION_README).
|
||||
#
|
||||
# The local machine is always the final destination for mail addressed
|
||||
# to user@[the.net.work.address] of an interface that the mail system
|
||||
# receives mail on (see the inet_interfaces parameter).
|
||||
#
|
||||
# Specify a list of host or domain names, /file/name or type:table
|
||||
# patterns, separated by commas and/or whitespace. A /file/name
|
||||
# pattern is replaced by its contents; a type:table is matched when
|
||||
# a name matches a lookup key (the right-hand side is ignored).
|
||||
# Continue long lines by starting the next line with whitespace.
|
||||
#
|
||||
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
|
||||
#
|
||||
mydestination = $myhostname, localhost.$mydomain, localhost
|
||||
|
||||
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
|
||||
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
|
||||
# mail.$mydomain, www.$mydomain, ftp.$mydomain
|
||||
|
||||
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
|
||||
#
|
||||
# The local_recipient_maps parameter specifies optional lookup tables
|
||||
# with all names or addresses of users that are local with respect
|
||||
# to $mydestination, $inet_interfaces or $proxy_interfaces.
|
||||
#
|
||||
# If this parameter is defined, then the SMTP server will reject
|
||||
# mail for unknown local users. This parameter is defined by default.
|
||||
#
|
||||
# To turn off local recipient checking in the SMTP server, specify
|
||||
# local_recipient_maps = (i.e. empty).
|
||||
#
|
||||
# The default setting assumes that you use the default Postfix local
|
||||
# delivery agent for local delivery. You need to update the
|
||||
# local_recipient_maps setting if:
|
||||
#
|
||||
# - You define $mydestination domain recipients in files other than
|
||||
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
|
||||
# For example, you define $mydestination domain recipients in
|
||||
# the $virtual_mailbox_maps files.
|
||||
#
|
||||
# - You redefine the local delivery agent in master.cf.
|
||||
#
|
||||
# - You redefine the "local_transport" setting in main.cf.
|
||||
#
|
||||
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
|
||||
# feature of the Postfix local delivery agent (see local(8)).
|
||||
#
|
||||
# Details are described in the LOCAL_RECIPIENT_README file.
|
||||
#
|
||||
# Beware: if the Postfix SMTP server runs chrooted, you probably have
|
||||
# to access the passwd file via the proxymap service, in order to
|
||||
# overcome chroot restrictions. The alternative, having a copy of
|
||||
# the system passwd file in the chroot jail is just not practical.
|
||||
#
|
||||
# The right-hand side of the lookup tables is conveniently ignored.
|
||||
# In the left-hand side, specify a bare username, an @domain.tld
|
||||
# wild-card, or specify a user@domain.tld address.
|
||||
#
|
||||
#local_recipient_maps = unix:passwd.byname $alias_maps
|
||||
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
|
||||
#local_recipient_maps =
|
||||
|
||||
# The unknown_local_recipient_reject_code specifies the SMTP server
|
||||
# response code when a recipient domain matches $mydestination or
|
||||
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
|
||||
# and the recipient address or address local-part is not found.
|
||||
#
|
||||
# The default setting is 550 (reject mail) but it is safer to start
|
||||
# with 450 (try again later) until you are certain that your
|
||||
# local_recipient_maps settings are OK.
|
||||
#
|
||||
unknown_local_recipient_reject_code = 550
|
||||
#>GNUNUX
|
||||
unverified_recipient_reject_code = 550
|
||||
#<GNUNUX
|
||||
|
||||
# TRUST AND RELAY CONTROL
|
||||
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
reject_unauth_destination,
|
||||
reject_unknown_client,
|
||||
reject_non_fqdn_helo_hostname,
|
||||
reject_invalid_helo_hostname,
|
||||
reject_non_fqdn_sender,
|
||||
reject_unknown_sender_domain,
|
||||
reject_unlisted_recipient,
|
||||
# FIXME check_sender_access hash:/etc/postfix/sender_access,
|
||||
# FIXME check_recipient_access hash:/etc/postfix/recv_access,
|
||||
|
||||
|
||||
# The mynetworks parameter specifies the list of "trusted" SMTP
|
||||
# clients that have more privileges than "strangers".
|
||||
#
|
||||
# In particular, "trusted" SMTP clients are allowed to relay mail
|
||||
# through Postfix. See the smtpd_recipient_restrictions parameter
|
||||
# in postconf(5).
|
||||
#
|
||||
# You can specify the list of "trusted" network addresses by hand
|
||||
# or you can let Postfix do it for you (which is the default).
|
||||
#
|
||||
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
|
||||
# clients in the same IP subnetworks as the local machine.
|
||||
# On Linux, this works correctly only with interfaces specified
|
||||
# with the "ifconfig" command.
|
||||
#
|
||||
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
|
||||
# clients in the same IP class A/B/C networks as the local machine.
|
||||
# Don't do this with a dialup site - it would cause Postfix to "trust"
|
||||
# your entire provider's network. Instead, specify an explicit
|
||||
# mynetworks list by hand, as described below.
|
||||
#
|
||||
# Specify "mynetworks_style = host" when Postfix should "trust"
|
||||
# only the local machine.
|
||||
#
|
||||
#mynetworks_style = class
|
||||
#mynetworks_style = subnet
|
||||
#mynetworks_style = host
|
||||
|
||||
# Alternatively, you can specify the mynetworks list by hand, in
|
||||
# which case Postfix ignores the mynetworks_style setting.
|
||||
#
|
||||
# Specify an explicit list of network/netmask patterns, where the
|
||||
# mask specifies the number of bits in the network part of a host
|
||||
# address.
|
||||
#
|
||||
# You can also specify the absolute pathname of a pattern file instead
|
||||
# of listing the patterns here. Specify type:table for table-based lookups
|
||||
# (the value on the table right-hand side is not used).
|
||||
#
|
||||
#mynetworks = 168.100.3.0/28, 127.0.0.0/8
|
||||
#mynetworks = $config_directory/mynetworks
|
||||
#mynetworks = hash:/etc/postfix/network_table
|
||||
mynetworks = 172.0.0.0/8
|
||||
|
||||
# The relay_domains parameter restricts what destinations this system will
|
||||
# relay mail to. See the smtpd_recipient_restrictions description in
|
||||
# postconf(5) for detailed information.
|
||||
#
|
||||
# By default, Postfix relays mail
|
||||
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
|
||||
# - from "untrusted" clients to destinations that match $relay_domains or
|
||||
# subdomains thereof, except addresses with sender-specified routing.
|
||||
# The default relay_domains value is $mydestination.
|
||||
#
|
||||
# In addition to the above, the Postfix SMTP server by default accepts mail
|
||||
# that Postfix is final destination for:
|
||||
# - destinations that match $inet_interfaces or $proxy_interfaces,
|
||||
# - destinations that match $mydestination
|
||||
# - destinations that match $virtual_alias_domains,
|
||||
# - destinations that match $virtual_mailbox_domains.
|
||||
# These destinations do not need to be listed in $relay_domains.
|
||||
#
|
||||
# Specify a list of hosts or domains, /file/name patterns or type:name
|
||||
# lookup tables, separated by commas and/or whitespace. Continue
|
||||
# long lines by starting the next line with whitespace. A file name
|
||||
# is replaced by its contents; a type:name table is matched when a
|
||||
# (parent) domain appears as lookup key.
|
||||
#
|
||||
# NOTE: Postfix will not automatically forward mail for domains that
|
||||
# list this system as their primary or backup MX host. See the
|
||||
# permit_mx_backup restriction description in postconf(5).
|
||||
#
|
||||
#relay_domains = $mydestination
|
||||
|
||||
# INTERNET OR INTRANET
|
||||
|
||||
# The relayhost parameter specifies the default host to send mail to
|
||||
# when no entry is matched in the optional transport(5) table. When
|
||||
# no relayhost is given, mail is routed directly to the destination.
|
||||
#
|
||||
# On an intranet, specify the organizational domain name. If your
|
||||
# internal DNS uses no MX records, specify the name of the intranet
|
||||
# gateway host instead.
|
||||
#
|
||||
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
|
||||
# [address] or [address]:port; the form [host] turns off MX lookups.
|
||||
#
|
||||
# If you're connected via UUCP, see also the default_transport parameter.
|
||||
#
|
||||
#relayhost = $mydomain
|
||||
#relayhost = [gateway.my.domain]
|
||||
#relayhost = [mailserver.isp.tld]
|
||||
#relayhost = uucphost
|
||||
#relayhost = [an.ip.add.ress]
|
||||
#>GNUNUX
|
||||
relayhost = %%smtp_relay_address
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
|
||||
smtp_sasl_security_options = noanonymous
|
||||
#<GNUNUX
|
||||
|
||||
# REJECTING UNKNOWN RELAY USERS
|
||||
#
|
||||
# The relay_recipient_maps parameter specifies optional lookup tables
|
||||
# with all addresses in the domains that match $relay_domains.
|
||||
#
|
||||
# If this parameter is defined, then the SMTP server will reject
|
||||
# mail for unknown relay users. This feature is off by default.
|
||||
#
|
||||
# The right-hand side of the lookup tables is conveniently ignored.
|
||||
# In the left-hand side, specify an @domain.tld wild-card, or specify
|
||||
# a user@domain.tld address.
|
||||
#
|
||||
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
|
||||
|
||||
# INPUT RATE CONTROL
|
||||
#
|
||||
# The in_flow_delay configuration parameter implements mail input
|
||||
# flow control. This feature is turned on by default, although it
|
||||
# still needs further development (it's disabled on SCO UNIX due
|
||||
# to an SCO bug).
|
||||
#
|
||||
# A Postfix process will pause for $in_flow_delay seconds before
|
||||
# accepting a new message, when the message arrival rate exceeds the
|
||||
# message delivery rate. With the default 100 SMTP server process
|
||||
# limit, this limits the mail inflow to 100 messages a second more
|
||||
# than the number of messages delivered per second.
|
||||
#
|
||||
# Specify 0 to disable the feature. Valid delays are 0..10.
|
||||
#
|
||||
#in_flow_delay = 1s
|
||||
|
||||
# ADDRESS REWRITING
|
||||
#
|
||||
# The ADDRESS_REWRITING_README document gives information about
|
||||
# address masquerading or other forms of address rewriting including
|
||||
# username->Firstname.Lastname mapping.
|
||||
|
||||
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
|
||||
#
|
||||
# The VIRTUAL_README document gives information about the many forms
|
||||
# of domain hosting that Postfix supports.
|
||||
|
||||
# "USER HAS MOVED" BOUNCE MESSAGES
|
||||
#
|
||||
# See the discussion in the ADDRESS_REWRITING_README document.
|
||||
|
||||
# TRANSPORT MAP
|
||||
#
|
||||
# See the discussion in the ADDRESS_REWRITING_README document.
|
||||
|
||||
# ALIAS DATABASE
|
||||
#
|
||||
# The alias_maps parameter specifies the list of alias databases used
|
||||
# by the local delivery agent. The default list is system dependent.
|
||||
#
|
||||
# On systems with NIS, the default is to search the local alias
|
||||
# database, then the NIS alias database. See aliases(5) for syntax
|
||||
# details.
|
||||
#
|
||||
# If you change the alias database, run "postalias /etc/aliases" (or
|
||||
# wherever your system stores the mail alias file), or simply run
|
||||
# "newaliases" to build the necessary DBM or DB file.
|
||||
#
|
||||
# It will take a minute or so before changes become visible. Use
|
||||
# "postfix reload" to eliminate the delay.
|
||||
#
|
||||
#alias_maps = dbm:/etc/aliases
|
||||
alias_maps = hash:/etc/aliases
|
||||
#alias_maps = hash:/etc/aliases, nis:mail.aliases
|
||||
#alias_maps = netinfo:/aliases
|
||||
|
||||
# The alias_database parameter specifies the alias database(s) that
|
||||
# are built with "newaliases" or "sendmail -bi". This is a separate
|
||||
# configuration parameter, because alias_maps (see above) may specify
|
||||
# tables that are not necessarily all under control by Postfix.
|
||||
#
|
||||
#alias_database = dbm:/etc/aliases
|
||||
#alias_database = dbm:/etc/mail/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
|
||||
|
||||
# ADDRESS EXTENSIONS (e.g., user+foo)
|
||||
#
|
||||
# The recipient_delimiter parameter specifies the separator between
|
||||
# user names and address extensions (user+foo). See canonical(5),
|
||||
# local(8), relocated(5) and virtual(5) for the effects this has on
|
||||
# aliases, canonical, virtual, relocated and .forward file lookups.
|
||||
# Basically, the software tries user+foo and .forward+foo before
|
||||
# trying user and .forward.
|
||||
#
|
||||
#recipient_delimiter = +
|
||||
#>GNUNUX
|
||||
recipient_delimiter = +
|
||||
#<GNUNUX
|
||||
|
||||
# DELIVERY TO MAILBOX
|
||||
#
|
||||
# The home_mailbox parameter specifies the optional pathname of a
|
||||
# mailbox file relative to a user's home directory. The default
|
||||
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
|
||||
# "Maildir/" for qmail-style delivery (the / is required).
|
||||
#
|
||||
#home_mailbox = Mailbox
|
||||
#home_mailbox = Maildir/
|
||||
|
||||
# The mail_spool_directory parameter specifies the directory where
|
||||
# UNIX-style mailboxes are kept. The default setting depends on the
|
||||
# system type.
|
||||
#
|
||||
#mail_spool_directory = /var/mail
|
||||
#mail_spool_directory = /var/spool/mail
|
||||
|
||||
# The mailbox_command parameter specifies the optional external
|
||||
# command to use instead of mailbox delivery. The command is run as
|
||||
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
|
||||
# Exception: delivery for root is done as $default_user.
|
||||
#
|
||||
# Other environment variables of interest: USER (recipient username),
|
||||
# EXTENSION (address extension), DOMAIN (domain part of address),
|
||||
# and LOCAL (the address localpart).
|
||||
#
|
||||
# Unlike other Postfix configuration parameters, the mailbox_command
|
||||
# parameter is not subjected to $parameter substitutions. This is to
|
||||
# make it easier to specify shell syntax (see example below).
|
||||
#
|
||||
# Avoid shell meta characters because they will force Postfix to run
|
||||
# an expensive shell process. Procmail alone is expensive enough.
|
||||
#
|
||||
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
|
||||
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
|
||||
#
|
||||
#mailbox_command = /some/where/procmail
|
||||
#mailbox_command = /some/where/procmail -a "$EXTENSION"
|
||||
|
||||
# The mailbox_transport specifies the optional transport in master.cf
|
||||
# to use after processing aliases and .forward files. This parameter
|
||||
# has precedence over the mailbox_command, fallback_transport and
|
||||
# luser_relay parameters.
|
||||
#
|
||||
# Specify a string of the form transport:nexthop, where transport is
|
||||
# the name of a mail delivery transport defined in master.cf. The
|
||||
# :nexthop part is optional. For more details see the sample transport
|
||||
# configuration file.
|
||||
#
|
||||
# NOTE: if you use this feature for accounts not in the UNIX password
|
||||
# file, then you must update the "local_recipient_maps" setting in
|
||||
# the main.cf file, otherwise the SMTP server will reject mail for
|
||||
# non-UNIX accounts with "User unknown in local recipient table".
|
||||
#
|
||||
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
|
||||
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
|
||||
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
|
||||
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
|
||||
# server using LMTP (Local Mail Transport Protocol), this is prefered
|
||||
# over the older cyrus deliver program by setting the
|
||||
# mailbox_transport as below:
|
||||
#
|
||||
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
#
|
||||
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
|
||||
# these settings.
|
||||
#
|
||||
# local_destination_recipient_limit = 300
|
||||
# local_destination_concurrency_limit = 5
|
||||
#
|
||||
# Of course you should adjust these settings as appropriate for the
|
||||
# capacity of the hardware you are using. The recipient limit setting
|
||||
# can be used to take advantage of the single instance message store
|
||||
# capability of Cyrus. The concurrency limit can be used to control
|
||||
# how many simultaneous LMTP sessions will be permitted to the Cyrus
|
||||
# message store.
|
||||
#
|
||||
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
|
||||
# subsequent line in master.cf.
|
||||
#mailbox_transport = cyrus
|
||||
|
||||
# The fallback_transport specifies the optional transport in master.cf
|
||||
# to use for recipients that are not found in the UNIX passwd database.
|
||||
# This parameter has precedence over the luser_relay parameter.
|
||||
#
|
||||
# Specify a string of the form transport:nexthop, where transport is
|
||||
# the name of a mail delivery transport defined in master.cf. The
|
||||
# :nexthop part is optional. For more details see the sample transport
|
||||
# configuration file.
|
||||
#
|
||||
# NOTE: if you use this feature for accounts not in the UNIX password
|
||||
# file, then you must update the "local_recipient_maps" setting in
|
||||
# the main.cf file, otherwise the SMTP server will reject mail for
|
||||
# non-UNIX accounts with "User unknown in local recipient table".
|
||||
#
|
||||
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
#fallback_transport =
|
||||
|
||||
# The luser_relay parameter specifies an optional destination address
|
||||
# for unknown recipients. By default, mail for unknown@$mydestination,
|
||||
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
|
||||
# as undeliverable.
|
||||
#
|
||||
# The following expansions are done on luser_relay: $user (recipient
|
||||
# username), $shell (recipient shell), $home (recipient home directory),
|
||||
# $recipient (full recipient address), $extension (recipient address
|
||||
# extension), $domain (recipient domain), $local (entire recipient
|
||||
# localpart), $recipient_delimiter. Specify ${name?value} or
|
||||
# ${name:value} to expand value only when $name does (does not) exist.
|
||||
#
|
||||
# luser_relay works only for the default Postfix local delivery agent.
|
||||
#
|
||||
# NOTE: if you use this feature for accounts not in the UNIX password
|
||||
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
|
||||
# the main.cf file, otherwise the SMTP server will reject mail for
|
||||
# non-UNIX accounts with "User unknown in local recipient table".
|
||||
#
|
||||
#luser_relay = $user@other.host
|
||||
#luser_relay = $local@other.host
|
||||
#luser_relay = admin+$local
|
||||
|
||||
# JUNK MAIL CONTROLS
|
||||
#
|
||||
# The controls listed here are only a very small subset. The file
|
||||
# SMTPD_ACCESS_README provides an overview.
|
||||
|
||||
# The header_checks parameter specifies an optional table with patterns
|
||||
# that each logical message header is matched against, including
|
||||
# headers that span multiple physical lines.
|
||||
#
|
||||
# By default, these patterns also apply to MIME headers and to the
|
||||
# headers of attached messages. With older Postfix versions, MIME and
|
||||
# attached message headers were treated as body text.
|
||||
#
|
||||
# For details, see "man header_checks".
|
||||
#
|
||||
#header_checks = regexp:/etc/postfix/header_checks
|
||||
|
||||
# FAST ETRN SERVICE
|
||||
#
|
||||
# Postfix maintains per-destination logfiles with information about
|
||||
# deferred mail, so that mail can be flushed quickly with the SMTP
|
||||
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
|
||||
# See the ETRN_README document for a detailed description.
|
||||
#
|
||||
# The fast_flush_domains parameter controls what destinations are
|
||||
# eligible for this service. By default, they are all domains that
|
||||
# this server is willing to relay mail to.
|
||||
#
|
||||
#fast_flush_domains = $relay_domains
|
||||
|
||||
# SHOW SOFTWARE VERSION OR NOT
|
||||
#
|
||||
# The smtpd_banner parameter specifies the text that follows the 220
|
||||
# code in the SMTP server's greeting banner. Some people like to see
|
||||
# the mail version advertised. By default, Postfix shows no version.
|
||||
#
|
||||
# You MUST specify $myhostname at the start of the text. That is an
|
||||
# RFC requirement. Postfix itself does not care.
|
||||
#
|
||||
#smtpd_banner = $myhostname ESMTP $mail_name
|
||||
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
|
||||
|
||||
# PARALLEL DELIVERY TO THE SAME DESTINATION
|
||||
#
|
||||
# How many parallel deliveries to the same user or domain? With local
|
||||
# delivery, it does not make sense to do massively parallel delivery
|
||||
# to the same user, because mailbox updates must happen sequentially,
|
||||
# and expensive pipelines in .forward files can cause disasters when
|
||||
# too many are run at the same time. With SMTP deliveries, 10
|
||||
# simultaneous connections to the same domain could be sufficient to
|
||||
# raise eyebrows.
|
||||
#
|
||||
# Each message delivery transport has its XXX_destination_concurrency_limit
|
||||
# parameter. The default is $default_destination_concurrency_limit for
|
||||
# most delivery transports. For the local delivery agent the default is 2.
|
||||
|
||||
#local_destination_concurrency_limit = 2
|
||||
#default_destination_concurrency_limit = 20
|
||||
|
||||
# DEBUGGING CONTROL
|
||||
#
|
||||
# The debug_peer_level parameter specifies the increment in verbose
|
||||
# logging level when an SMTP client or server host name or address
|
||||
# matches a pattern in the debug_peer_list parameter.
|
||||
#
|
||||
debug_peer_level = 2
|
||||
|
||||
# The debug_peer_list parameter specifies an optional list of domain
|
||||
# or network patterns, /file/name patterns or type:name tables. When
|
||||
# an SMTP client or server host name or address matches a pattern,
|
||||
# increase the verbose logging level by the amount specified in the
|
||||
# debug_peer_level parameter.
|
||||
#
|
||||
#debug_peer_list = 127.0.0.1
|
||||
#debug_peer_list = some.domain
|
||||
|
||||
# The debugger_command specifies the external command that is executed
|
||||
# when a Postfix daemon program is run with the -D option.
|
||||
#
|
||||
# Use "command .. & sleep 5" so that the debugger can attach before
|
||||
# the process marches on. If you use an X-based debugger, be sure to
|
||||
# set up your XAUTHORITY environment variable before starting Postfix.
|
||||
#
|
||||
debugger_command =
|
||||
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
|
||||
ddd $daemon_directory/$process_name $process_id & sleep 5
|
||||
|
||||
# If you can't use X, use this to capture the call stack when a
|
||||
# daemon crashes. The result is in a file in the configuration
|
||||
# directory, and is named after the process name and the process ID.
|
||||
#
|
||||
# debugger_command =
|
||||
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
|
||||
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
|
||||
# >$config_directory/$process_name.$process_id.log & sleep 5
|
||||
#
|
||||
# Another possibility is to run gdb under a detached screen session.
|
||||
# To attach to the screen session, su root and run "screen -r
|
||||
# <id_string>" where <id_string> uniquely matches one of the detached
|
||||
# sessions (from "screen -list").
|
||||
#
|
||||
# debugger_command =
|
||||
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
|
||||
# -dmS $process_name gdb $daemon_directory/$process_name
|
||||
# $process_id & sleep 1
|
||||
|
||||
# INSTALL-TIME CONFIGURATION INFORMATION
|
||||
#
|
||||
# The following parameters are used when installing a new Postfix version.
|
||||
#
|
||||
# sendmail_path: The full pathname of the Postfix sendmail command.
|
||||
# This is the Sendmail-compatible mail posting interface.
|
||||
#
|
||||
sendmail_path = /usr/sbin/sendmail.postfix
|
||||
|
||||
# newaliases_path: The full pathname of the Postfix newaliases command.
|
||||
# This is the Sendmail-compatible command to build alias databases.
|
||||
#
|
||||
newaliases_path = /usr/bin/newaliases.postfix
|
||||
|
||||
# mailq_path: The full pathname of the Postfix mailq command. This
|
||||
# is the Sendmail-compatible mail queue listing command.
|
||||
#
|
||||
mailq_path = /usr/bin/mailq.postfix
|
||||
|
||||
# setgid_group: The group for mail submission and queue management
|
||||
# commands. This must be a group name with a numerical group ID that
|
||||
# is not shared with other accounts, not even with the Postfix account.
|
||||
#
|
||||
setgid_group = postdrop
|
||||
|
||||
# html_directory: The location of the Postfix HTML documentation.
|
||||
#
|
||||
html_directory = no
|
||||
|
||||
# manpage_directory: The location of the Postfix on-line manual pages.
|
||||
#
|
||||
manpage_directory = /usr/share/man
|
||||
|
||||
# sample_directory: The location of the Postfix sample configuration files.
|
||||
# This parameter is obsolete as of Postfix 2.1.
|
||||
#
|
||||
sample_directory = /usr/share/doc/postfix/samples
|
||||
|
||||
# readme_directory: The location of the Postfix README files.
|
||||
#
|
||||
readme_directory = /usr/share/doc/postfix/README_FILES
|
||||
|
||||
# TLS CONFIGURATION
|
||||
#
|
||||
# Basic Postfix TLS configuration by default with self-signed certificate
|
||||
# for inbound SMTP and also opportunistic TLS for outbound SMTP.
|
||||
|
||||
# The full pathname of a file with the Postfix SMTP server RSA certificate
|
||||
# in PEM format. Intermediate certificates should be included in general,
|
||||
# the server certificate first, then the issuing CA(s) (bottom-up order).
|
||||
#
|
||||
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
|
||||
|
||||
# The full pathname of a file with the Postfix SMTP server RSA private key
|
||||
# in PEM format. The private key must be accessible without a pass-phrase,
|
||||
# i.e. it must not be encrypted.
|
||||
#
|
||||
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
|
||||
|
||||
smtpd_tls_CApath = /etc/pki/tls/certs
|
||||
smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
|
||||
# Announce STARTTLS support to remote SMTP clients, but do not require that
|
||||
# clients use TLS encryption (opportunistic TLS inbound).
|
||||
#
|
||||
smtpd_tls_security_level = may
|
||||
|
||||
# Directory with PEM format Certification Authority certificates that the
|
||||
# Postfix SMTP client uses to verify a remote SMTP server certificate.
|
||||
#
|
||||
smtp_tls_CApath = /etc/pki/tls/certs
|
||||
|
||||
# The full pathname of a file containing CA certificates of root CAs
|
||||
# trusted to sign either remote SMTP server certificates or intermediate CA
|
||||
# certificates.
|
||||
#
|
||||
smtp_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
|
||||
|
||||
# Use TLS if this is supported by the remote SMTP server, otherwise use
|
||||
# plaintext (opportunistic TLS outbound).
|
||||
#
|
||||
smtp_tls_security_level = may
|
||||
meta_directory = /etc/postfix
|
||||
shlib_directory = /usr/lib64/postfix
|
||||
|
||||
#>GNUNUX
|
||||
smtpd_helo_required = yes
|
||||
disable_vrfy_command = yes
|
||||
strict_rfc821_envelopes = yes
|
||||
|
||||
smtpd_use_tls = yes
|
||||
mailbox_size_limit = 0
|
||||
message_size_limit = 202400000
|
||||
biff = no
|
||||
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
smtpd_tls_loglevel = 1
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
smtpd_tls_auth_only = yes
|
||||
smtpd_tls_received_header = yes
|
||||
tls_random_source = dev:/dev/urandom
|
||||
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
smtpd_sasl_local_domain =
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_path = /srv/dovecot/auth
|
||||
broken_sasl_auth_clients = yes
|
||||
|
||||
dovecot_destination_recipient_limit = 1
|
||||
virtual_mailbox_domains = %echo ', '.join(%%postfix_my_domains)
|
||||
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
virtual_minimum_uid = 1000
|
||||
#vmail uid
|
||||
virtual_uid_maps = static:999
|
||||
virtual_gid_maps = static:999
|
||||
virtual_transport = dovecot
|
||||
virtual_mailbox_base = /srv/mail
|
||||
#<GNUNUX
|
146
seed/applicationservice/2022.03.08/dovecot/templates/master.cf
Normal file
146
seed/applicationservice/2022.03.08/dovecot/templates/master.cf
Normal file
|
@ -0,0 +1,146 @@
|
|||
#
|
||||
# Postfix master process configuration file. For details on the format
|
||||
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||
# on-line: http://www.postfix.org/master.5.html).
|
||||
#
|
||||
# Do not forget to execute "postfix reload" after editing this file.
|
||||
#
|
||||
# ==========================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (no) (never) (100)
|
||||
# ==========================================================================
|
||||
smtp inet n - n - - smtpd
|
||||
#smtp inet n - n - 1 postscreen
|
||||
#smtpd pass - - n - - smtpd
|
||||
#dnsblog unix - - n - 0 dnsblog
|
||||
#tlsproxy unix - - n - 0 tlsproxy
|
||||
# Choose one: enable submission for loopback clients only, or for any client.
|
||||
#127.0.0.1:submission inet n - n - - smtpd
|
||||
#>GNUNUX
|
||||
submission inet n - n - - smtpd
|
||||
#<GNUNUX
|
||||
# -o syslog_name=postfix/submission
|
||||
# -o smtpd_tls_security_level=encrypt
|
||||
# -o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_tls_auth_only=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
# -o smtpd_recipient_restrictions=
|
||||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
# Choose one: enable smtps for loopback clients only, or for any client.
|
||||
#127.0.0.1:smtps inet n - n - - smtpd
|
||||
#smtps inet n - n - - smtpd
|
||||
#>GNUNUX
|
||||
smtps inet n - n - - smtpd
|
||||
#<GNUNUX
|
||||
# -o syslog_name=postfix/smtps
|
||||
# -o smtpd_tls_wrappermode=yes
|
||||
# -o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||
# -o smtpd_recipient_restrictions=
|
||||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||
# -o milter_macro_daemon_name=ORIGINATING
|
||||
#628 inet n - n - - qmqpd
|
||||
pickup unix n - n 60 1 pickup
|
||||
cleanup unix n - n - 0 cleanup
|
||||
qmgr unix n - n 300 1 qmgr
|
||||
#qmgr unix n - n 300 1 oqmgr
|
||||
tlsmgr unix - - n 1000? 1 tlsmgr
|
||||
rewrite unix - - n - - trivial-rewrite
|
||||
bounce unix - - n - 0 bounce
|
||||
defer unix - - n - 0 bounce
|
||||
trace unix - - n - 0 bounce
|
||||
verify unix - - n - 1 verify
|
||||
flush unix n - n 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - n - - smtp
|
||||
relay unix - - n - - smtp
|
||||
-o syslog_name=postfix/$service_name
|
||||
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||
showq unix n - n - - showq
|
||||
error unix - - n - - error
|
||||
retry unix - - n - - error
|
||||
discard unix - - n - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - n - - lmtp
|
||||
anvil unix - - n - 1 anvil
|
||||
scache unix - - n - 1 scache
|
||||
postlog unix-dgram n - n - 1 postlogd
|
||||
#
|
||||
# ====================================================================
|
||||
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||
# pages of the non-Postfix software to find out what options it wants.
|
||||
#
|
||||
# Many of the following services use the Postfix pipe(8) delivery
|
||||
# agent. See the pipe(8) man page for information about ${recipient}
|
||||
# and other message envelope options.
|
||||
# ====================================================================
|
||||
#
|
||||
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||
#
|
||||
#maildrop unix - n n - - pipe
|
||||
# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||
#
|
||||
# Specify in cyrus.conf:
|
||||
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||
#
|
||||
# Specify in main.cf one or more of the following:
|
||||
# mailbox_transport = lmtp:inet:localhost
|
||||
# virtual_transport = lmtp:inet:localhost
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Cyrus 2.1.5 (Amos Gouaux)
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Old example of delivery via Cyrus.
|
||||
#
|
||||
#old-cyrus unix - n n - - pipe
|
||||
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# See the Postfix UUCP_README file for configuration details.
|
||||
#
|
||||
#uucp unix - n n - - pipe
|
||||
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Other external delivery methods.
|
||||
#
|
||||
#ifmail unix - n n - - pipe
|
||||
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
#
|
||||
#bsmtp unix - n n - - pipe
|
||||
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
|
||||
#
|
||||
#scalemail-backend unix - n n - 2 pipe
|
||||
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
|
||||
# ${nexthop} ${user} ${extension}
|
||||
#
|
||||
#mailman unix - n n - - pipe
|
||||
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
# ${nexthop} ${user}
|
||||
#>GNUNUX
|
||||
dovecot unix - n n - - pipe
|
||||
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
|
||||
#>GNUNUX
|
|
@ -0,0 +1,5 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)
|
|
@ -0,0 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'MailServer')
|
|
@ -0,0 +1,3 @@
|
|||
[Service]
|
||||
ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd
|
||||
PIDFile=/srv/postfix/spool/pid/master.pid
|
|
@ -0,0 +1,2 @@
|
|||
%%smtp_relay_address %%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
%for %%local in %%dovecot_local_authentifications
|
||||
%set %%user = %%normalize_family(%%local)
|
||||
%set %%password = %%getVar('local_authentification_password_' + %%user)
|
||||
%set %%ip = %%getVar('local_authentification_ip_' + %%user)
|
||||
%%user:{SHA512-CRYPT}%%sha512_crypt(%%password)::::::allow_nets=%%ip
|
||||
%end for
|
|
@ -0,0 +1,6 @@
|
|||
g dovecot 97 -
|
||||
g dovenull 982 -
|
||||
g vmail 999 -
|
||||
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
|
||||
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
|
||||
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin
|
|
@ -0,0 +1,8 @@
|
|||
g mail 12 -
|
||||
g postfix 89 -
|
||||
g postdrop 90 -
|
||||
u mail 8:12 "mail" /var/spool/mail /sbin/nologin
|
||||
u postfix 89:89 "Postfix" /srv/postfix/spool /sbin/nologin
|
||||
# useful?
|
||||
m postfix mail
|
||||
m postfix opendkim
|
|
@ -0,0 +1 @@
|
|||
d /srv/dovecot 750 dovecot postfix - -
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue