diff --git a/TCheetah/etc/postfix/ldap-aliases.cf/template b/TCheetah/etc/postfix/ldap-aliases.cf/template deleted file mode 100644 index dcd9bcf..0000000 --- a/TCheetah/etc/postfix/ldap-aliases.cf/template +++ /dev/null @@ -1,27 +0,0 @@ -# -*- coding: utf-8; mode: conf-unix -*- -# -# Fichier gere par BCfg2 -# -# Recherche des alias dans la base ldap. - -# Connexion LDAP -#if "db-server" in $metadata.groups -## Pour ceux qui ont la base ou une copie en local -## on regarde dans celle-ci -server_host = ldap://localhost/ -#else -## Sinon on regarde dans la base principale -server_host = ldap://ldap.adm.crans.org/ -#endif -search_base = ou=data,dc=crans,dc=org -version = 3 -bind = yes -bind_dn = cn=postfix,dc=crans,dc=org -bind_pw = f34842fd04aa7f58bc45bb - -# Requete faite a la base, %s est remplace -# par l'alias recherche -query_filter = (|(mailAlias=%s)(canonicalAlias=%s)) - -# Les alias correspondent a l'adresse du champ suivant -result_attribute = uid diff --git a/TCheetah/etc/postfix/ldap-canonical.cf/template b/TCheetah/etc/postfix/ldap-canonical.cf/template deleted file mode 100644 index 6f79d22..0000000 --- a/TCheetah/etc/postfix/ldap-canonical.cf/template +++ /dev/null @@ -1,24 +0,0 @@ -# -*- coding: utf-8; mode: conf-unix -*- -# -# Fichier gere par BCfg2 - -# Connexion LDAP -#if "db-server" in $metadata.groups -## Pour ceux qui ont la base ou une copie en local -## on regarde dans celle-ci -server_host = ldap://localhost/ -#else -## Sinon on regarde dans la base principale -server_host = ldap://ldap.adm.crans.org/ -#endif -search_base = ou=data,dc=crans,dc=org -version = 3 -bind = yes -bind_dn = cn=postfix,dc=crans,dc=org -bind_pw = f34842fd04aa7f58bc45bb - -# Requete faite a la base -query_filter = (&(mail=%s)(canonicalAlias=*)) - -# Les compte correspond a l'adresse du champ suivant -result_attribute = canonicalAlias diff --git a/TCheetah/etc/postfix/ldap-sqlgrey.cf/template b/TCheetah/etc/postfix/ldap-sqlgrey.cf/template deleted file mode 100644 index 21e3641..0000000 --- a/TCheetah/etc/postfix/ldap-sqlgrey.cf/template +++ /dev/null @@ -1,26 +0,0 @@ -# -*- coding: utf-8; mode: conf-unix -*- -# -# Fichier gere par BCfg2 -# -# Test si le greylisting est active pour un certain compte. - -# Connexion LDAP -#if "db-server" in $metadata.groups -## Pour ceux qui ont la base ou une copie en local -## on regarde dans celle-ci -server_host = ldap://localhost/ -#else -## Sinon on regarde dans la base principale -server_host = ldap://ldap.adm.crans.org/ -#endif -search_base = ou=data,dc=crans,dc=org -version = 3 -bind = yes -bind_dn = cn=postfix,dc=crans,dc=org -bind_pw = f34842fd04aa7f58bc45bb - -# Requete faite a la base -query_filter = (|(uid=%u)(mailAlias=%u)(canonicalAlias=%u)) - -# Les alias correspondent à l'adresse du champ suivant -result_attribute = contourneGreylist diff --git a/TCheetah/etc/ssh/sshd_config/template b/TCheetah/etc/ssh/sshd_config/template deleted file mode 100644 index 2602c19..0000000 --- a/TCheetah/etc/ssh/sshd_config/template +++ /dev/null @@ -1,82 +0,0 @@ -# -*- mode: conf -*- -# -# See the sshd(8) manpage for details - -## What ports, IPs and protocols we listen for -Port 22 -## Use these options to restrict which interfaces/protocols sshd will bind to -##ListenAddress :: -##ListenAddress 0.0.0.0 -Protocol 2 -## HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -##Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -## Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -## Logging -SyslogFacility AUTH -LogLevel INFO - -## Authentication: -LoginGraceTime 120 -PermitRootLogin yes -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -##AuthorizedKeysFile %h/.ssh/authorized_keys - -## Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -## For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -## similar for protocol version 2 -HostbasedAuthentication no -## Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -##IgnoreUserKnownHosts yes - -## To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -## Change to yes to enable challenge-response passwords (beware issues with -## some PAM modules and threads) -ChallengeResponseAuthentication yes - -## Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -## Kerberos options -##KerberosAuthentication no -##KerberosGetAFSToken no -##KerberosOrLocalPasswd yes -##KerberosTicketCleanup yes - -## GSSAPI options -##GSSAPIAuthentication no -##GSSAPICleanupCredentials yes - -#if "users" in $metadata.groups -X11Forwarding yes -#else -X11Forwarding no -#endif -X11DisplayOffset 10 -PrintMotd yes -PrintLastLog yes -TCPKeepAlive yes -##UseLogin no - -##MaxStartups 10:30:60 -##Banner /etc/issue.net - -## Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -UsePAM yes diff --git a/TCheetah/etc/ldap/ldap.conf/template b/TGenshi/etc/ldap/ldap.conf/template.txt similarity index 100% rename from TCheetah/etc/ldap/ldap.conf/template rename to TGenshi/etc/ldap/ldap.conf/template.txt diff --git a/TGenshi/etc/postfix/ldap-aliases.cf/info b/TGenshi/etc/postfix/ldap-aliases.cf/info new file mode 100644 index 0000000..0b33c96 --- /dev/null +++ b/TGenshi/etc/postfix/ldap-aliases.cf/info @@ -0,0 +1,3 @@ +owner: root +group: root +perms: 0600 diff --git a/TGenshi/etc/postfix/ldap-aliases.cf/template.txt b/TGenshi/etc/postfix/ldap-aliases.cf/template.txt new file mode 100644 index 0000000..07ebfbc --- /dev/null +++ b/TGenshi/etc/postfix/ldap-aliases.cf/template.txt @@ -0,0 +1,5 @@ +{% with comment="Recherche des alias dans la base ldap."; + query="(|(mailAlias=%s)(canonicalAlias=%s))"; + result="uid" %}\ +{% include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\ +{% end %}\ diff --git a/TGenshi/etc/postfix/ldap-canonical.cf/info b/TGenshi/etc/postfix/ldap-canonical.cf/info new file mode 100644 index 0000000..0b33c96 --- /dev/null +++ b/TGenshi/etc/postfix/ldap-canonical.cf/info @@ -0,0 +1,3 @@ +owner: root +group: root +perms: 0600 diff --git a/TGenshi/etc/postfix/ldap-canonical.cf/template.txt b/TGenshi/etc/postfix/ldap-canonical.cf/template.txt new file mode 100644 index 0000000..9973f99 --- /dev/null +++ b/TGenshi/etc/postfix/ldap-canonical.cf/template.txt @@ -0,0 +1,4 @@ +{% with query="(&(mail=%s)(canonicalAlias=*))"; + result="canonicalAlias" %}\ +{% include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\ +{% end %}\ diff --git a/TGenshi/etc/postfix/ldap-sqlgrey.cf/info b/TGenshi/etc/postfix/ldap-sqlgrey.cf/info new file mode 100644 index 0000000..0b33c96 --- /dev/null +++ b/TGenshi/etc/postfix/ldap-sqlgrey.cf/info @@ -0,0 +1,3 @@ +owner: root +group: root +perms: 0600 diff --git a/TGenshi/etc/postfix/ldap-sqlgrey.cf/template.txt b/TGenshi/etc/postfix/ldap-sqlgrey.cf/template.txt new file mode 100644 index 0000000..f6db7b8 --- /dev/null +++ b/TGenshi/etc/postfix/ldap-sqlgrey.cf/template.txt @@ -0,0 +1,5 @@ +{% with comment="Test si le greylisting est active pour un certain compte."; + query="(|(uid=%u)(mailAlias=%u)(canonicalAlias=%u))"; + result="contourneGreylist" %}\ +{% include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\ +{% end %}\ diff --git a/TCheetah/etc/postfix/main.cf/template b/TGenshi/etc/postfix/main.cf/template.txt similarity index 66% rename from TCheetah/etc/postfix/main.cf/template rename to TGenshi/etc/postfix/main.cf/template.txt index 2f87e3f..45fd426 100644 --- a/TCheetah/etc/postfix/main.cf/template +++ b/TGenshi/etc/postfix/main.cf/template.txt @@ -4,53 +4,39 @@ # # Fichier de configuration principal de postfix. -## On change le style de parsing parceque sinon c'est vraiment relou -#compiler-settings -cheetahVarStartToken = @ -commentStartToken = %# -multilineCommentStartToken = %* -multilineCommentEndToken = *% -directiveStartToken = % -directiveEndToken = % -#end compiler-settings +{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ -%# +------------------------+ -%# | Utils pour le template | -%# +------------------------+ +{# +------------------------+ #}\ +{# | Utils pour le template | #}\ +{# +------------------------+ #}\ +{% python + mx = has("mail-mx") + # Indique si c'est un MX principal ou secondaire. + main = has("mail-mx-main") + secondary = has("mail-mx-secondary") + # Indique si c'est un MX public, par exemple le serveur + # des adherents est utilise uniquement en interne + public = has("mail-mx-public") -%set @mx = "mail-mx" in @metadata.groups -%# Indique si c'est un MX principal ou secondaire. -%set @main = "mail-mx-main" in @metadata.groups -%set @secondary = "mail-mx-secondary" in @metadata.groups -%# Indique si c'est un MX public, par exemple le serveur -%# des adherents est utilise uniquement en interne -%set @public = "mail-mx-public" in @metadata.groups + # Si vrai alors delivre localement les mails des adherents. + users = has("users") -%# Si vrai alors delivre localement les mails des adherents. -%set @users = "users" in @metadata.groups + # Si vrai alors passe les mails des ml a mailman + manage_ml = has("mailing-list-manager") -%# Si vrai alors passe les mails des ml a mailman -%set @manage_ml = "mailing-list-manager" in @metadata.groups - -%# La base de donnee utilise -%if "ldap" in @metadata.groups - %set @db = "ldap" -%elif "pgsql" in @metadata.groups - %set @db = "pgsql" -%else - %raise Exception("aucune base de donne trouvee!") -%end if - -%set @shorthostname = @metadata.hostname.split('.',1)[0] - -%def yesno(@b): %if @b then yes else no% + # La base de donnee utilise (pour les mx) + if has("ldap"): + db = "ldap" + elif has("pgsql"): + db = "pgsql" +%}\ # +------------------+ # | Variables utiles | # +------------------+ # Definition par securite (sinon il utilise gethostname) -myhostname = @{shorthostname}.crans.org +myhostname = ${hostname}.crans.org mydomain = crans.org # Origine des mails @@ -58,60 +44,60 @@ myorigin = crans.org # Reseaux locaux mynetworks = 127.0.0.1/8 -%if @mx +{% if mx %}\ 138.231.136.0/21, 138.231.144.0/21, 138.231.148.0/22 -%end if +{% end %}\ -%if not @mx +{%if not mx %}\ # Ecoute en local uniquement inet_interfaces = loopback-only -%end if +{% end %}\ -%if @mx +{% if mx %}\ # Destinations acceptees -mydestination = @shorthostname, $myhostname, - localhost, localhost.$mydomain - %if @main - $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, +mydestination = $hostname, $$myhostname, + localhost, localhost.$$mydomain +{% if main %}\ + $$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr - %end if - %if @manage_ml - lists.$mydomain - %end if -%end if +{% end %}\ +{% if manage_ml %} + lists.$$mydomain +{% end %}\ +{% end %}\ -%if @mx +{% if mx %}\ # Domaine relaye par ce MX -relay_domains = $mydestination, - %if @secondary - $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, +relay_domains = $$mydestination, +{% if secondary %}\ + $$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr - %end if - %if @public and not @manage_ml - lists.$mydomain - %end if -%end if +{% end %}\ +{% if public and not manage_ml %}\ + lists.$$mydomain +{% end %}\ +{% end %}\ -%if not @mx +{% if not mx %}\ # Les mails sont envoyes au MX principal relayhost = smtp.adm.crans.org -%end if +{% end %}\ # Etre notifie ou non de l'arrive de nouveaux mails -biff = @yesno(@users) +biff = ${yesno(users)} -%if @mx +{% if mx %}\ # Pour pouvoir tester sans tout casser, on active les soft bounces. # Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais # a la place, de renvoyer une erreur non permanente. En production # il faut enlever ca. soft_bounce = no -%end if +{% end %}\ -%if @users +{% if users %}\ # On delivre dans des maildir mail_spool_directory = /var/mail/ -%end if +{% end %}\ # +--------+ # | Divers | @@ -121,20 +107,21 @@ mail_spool_directory = /var/mail/ delay_warning_time = 24h # Esthetisme -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +smtpd_banner = $$myhostname ESMTP $$mail_name (Debian/GNU) -%if @mx +{% choose %}\ +{% when mx %}\ # Reecriture des entetes canonical_maps = ldap:/etc/postfix/ldap-canonical.cf -%else +{% otherwise %}\ # Reecriture des entetes: @host.crans.org -> @crans.org canonical_maps = regexp:/etc/postfix/canonical -%end if +{% end %}\ -%if @mx +{% if mx %}\ # Par ou passer (notement pour la distrtibution des adresse locales par bleu) transport_maps = hash:/etc/postfix/transport -%end if +{% end %}\ # Une infinite d'adresses mail par personne recipient_delimiter = + @@ -145,28 +132,28 @@ recipient_delimiter = + # Les fichiers d'alias (pour newaliases) alias_database = hash:/etc/postfix/aliases -%if @manage_ml +{% if manage_ml %}\ hash:/var/lib/mailman/data/aliases -%end if +{% end %}\ -alias_maps = $alias_database -%if @mx +alias_maps = $$alias_database +{% if mx %}\ # Plus les alias dans la base de donnees ldap:/etc/postfix/ldap-aliases.cf -%end if +{% end %}\ -%if @mx +{% if mx %}\ # On prend aussi en compte les utilisateurs de /etc/passwd -local_recipient_maps = $alias_maps unix:passwd.byname -%end if +local_recipient_maps = $$alias_maps unix:passwd.byname +{% end %}\ -%if @mx +{% if mx %}\ # Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org virtual_alias_maps = hash:/etc/postfix/virtual -%end if +{% end %}\ -%# Pour les non-mx il n'y a plus rien d'interessant jusqu'a la fin -%if @mx +{# Pour les non-mx il n'y a plus rien d'interessant jusqu'a la fin #}\ +{% if mx %}\ # +-------------+ # | TLS et SASL | # +-------------+ @@ -195,21 +182,21 @@ smtp_tls_session_cache_database = sdbm:/var/run/smtp_tls_session_cache tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom -%if @main +{% if main %}\ # Authentification SASL pour relayer du mail smtpd_sasl_auth_enable = yes # Auth que si tls pour eviter des pass en clair sur le reseau smtpd_tls_auth_only = yes -%end if +{% end %}\ # +--------------------------+ # | Filtrages et limitations | # +--------------------------+ -%if @main +{% if main %}\ # Filtrage sur les sources de connexions smtpd_client_restrictions = reject_rbl_client rbl-plus.mail-abuse.org -%end if +{% end %}\ ## Filtrage au MAIL FROM # Rejet si le domaine de l'envoyeur n'est pas dans un DNS @@ -220,18 +207,18 @@ smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_recipient_restrictions = permit_mynetworks # rejette les recipients sans nom de domaine totalement qualifie reject_non_fqdn_recipient -%if @main +{% if main %}\ # permet si le client est authentifie permit_sasl_authenticated -%end if +{% end %}\ # rejette les destinations non locales reject_unauth_destination -%if @public +{% if public %}\ # accepte si le champ contourneGreylist de la base est a OK check_recipient_access ldap:/etc/postfix/ldap-sqlgrey.cf # accepte si la greylist est d'accord check_policy_service inet:127.0.0.1:2501 -%endif +{% end %}\ # jette le reste # Tailles maximales : 4Mo pour les msgs et 75 pour les mbox @@ -239,20 +226,20 @@ message_size_limit = 4194304 mailbox_size_limit = 78643000 # Obligation de specifier le nom de domaine complet -append_dot_mydomain = @yesno(@secondary) +append_dot_mydomain = ${yesno(secondary)} -%if @main +{% if main %}\ ## Filtrage AV # Amavis + tuning lmtp content_filter = lmtp:[amavis.adm.crans.org]:10024 lmtp_data_done_timeout=1200 lmtp_send_xforward_command=yes -%endif +{% end %}\ # Pieces jointes mime_header_checks = regexp:/etc/postfix/mime_header_checks -%if not @secondary +{% if not secondary %}\ # +----------------------+ # | Connexion de secours | # +----------------------+ @@ -260,6 +247,7 @@ mime_header_checks = regexp:/etc/postfix/mime_header_checks ### BEGIN RESCUE MODE #relayhost = [ultra-adsl.crans.org]:25 ### END RESCUR MODE -%endif +{% end %}\ -%end if +{# Fin de la conf specifique au mx #} +{% end %}\ diff --git a/TCheetah/etc/postfix/master.cf/template b/TGenshi/etc/postfix/master.cf/template.txt similarity index 85% rename from TCheetah/etc/postfix/master.cf/template rename to TGenshi/etc/postfix/master.cf/template.txt index bff3ffd..0930840 100644 --- a/TCheetah/etc/postfix/master.cf/template +++ b/TGenshi/etc/postfix/master.cf/template.txt @@ -2,32 +2,25 @@ # # Fichier gere par BCfg2 # -# Fichier de configuration des demons de postfix +# Fichier de configuration des demons de postfix. -#compiler-settings -cheetahVarStartToken = @ -commentStartToken = %# -multilineCommentStartToken = %* -multilineCommentEndToken = *% -directiveStartToken = % -directiveEndToken = % -#end compiler-settings +{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ -%# +------------------------+ -%# | Utils pour le template | -%# +------------------------+ +{# +------------------------+ #}\ +{# | Utils pour le template | #}\ +{# +------------------------+ #}\ +{% python + # Indique si c'est un MX principal ou secondaire. + main = has("mail-mx-main") + secondary = has("mail-mx-secondary") + # Indique si c'est un MX public, par exemple le serveur + # des adherents est utilise uniquement en interne + public = has("mail-mx-public") -%# Indique si c'est un MX principal ou secondaire. -%set @main = "mail-mx-main" in @metadata.groups -%set @secondary = "mail-mx-secondary" in @metadata.groups -%# Indique si c'est un MX public, par exemple le serveur -%# des adherents est utilise uniquement en interne -%set @public = "mail-mx-public" in @metadata.groups - -%set @shorthostname = @metadata.hostname.split('.',1)[0] -%set @pub = @shorthostname + ".crans.org" -%set @adm = @shorthostname + ".adm.crans.org" -%set @loc = "127.0.0.1" + pub = pubhostname + adm = admhostname + loc = "127.0.0.1" +%}\ # Postfix master process configuration file. Each line describes how # a mailer component program should be run. The fields that make up @@ -98,11 +91,11 @@ directiveEndToken = % # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== -@pub:smtp inet n - - - - smtpd -%if not @public +$pub:smtp inet n - - - - smtpd +{% if not public %}\ -o content_filter=lmtp:[amavis.adm.crans.org]:10024 -%end if -@loc:smtp inet n - - - - smtpd +{% end %}\ +$loc:smtp inet n - - - - smtpd #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup @@ -143,11 +136,11 @@ smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes 587 inet n - - - - smtpd -o smtpd_enforce_tls=yes tlsmgr fifo - - n 300 1 tlsmgr -%if @main +{% if main %}\ # Serveur smtp pour recuperation des mails d'amavis # Verifie uniquement que le source viens bien du reseau # d'administration -@adm:smtp inet n - n - - smtpd +$adm:smtp inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o smtpd_helo_restrictions= @@ -155,4 +148,4 @@ tlsmgr fifo - - n 300 1 tlsmgr -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=138.231.144.0/24 -%end if +{% end %}\ diff --git a/TCheetah/etc/postfix/transport/template b/TGenshi/etc/postfix/transport/template.txt similarity index 72% rename from TCheetah/etc/postfix/transport/template rename to TGenshi/etc/postfix/transport/template.txt index 0ff029d..a4ae71d 100644 --- a/TCheetah/etc/postfix/transport/template +++ b/TGenshi/etc/postfix/transport/template.txt @@ -4,21 +4,24 @@ # # Transport des mails. -#if "mailing-list-manager" in $metadata.groups +{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ + +{% choose %}\ +{% when has("mailing-list-manager") %}\ # Les mailing-listes sont delivrees localement lists.crans.org local -#else +{% otherwise %}\ lists.crans.org smtp:[lists.adm.crans.org] -#end if -#if "news-server" in $metadata.groups +{% end %}\ +{% if has("news-server") %}\ # Le corbeau, c'est ici corbeau@crans.org local -#end if -#if not "users" in $medatata.groups +{% end %}\ +{% if not "users" in $medatata.groups %}\ # C'est le serveur des adherents qui fait les livraisons des # adresses clubs et adherents crans.org smtp:[users.adm.crans.org] crans.ens-cachan.fr smtp:[users.adm.crans.org] install-party.ens-cachan.fr smtp:[users.adm.crans.org] clubs.ens-cachan.fr smtp:[users.adm.crans.org] -#end if +{% end %}\ diff --git a/TGenshi/etc/ssh/sshd_config/template.txt b/TGenshi/etc/ssh/sshd_config/template.txt new file mode 100644 index 0000000..d53cf1c --- /dev/null +++ b/TGenshi/etc/ssh/sshd_config/template.txt @@ -0,0 +1,81 @@ +# -*- mode: conf -*- +# +# See the sshd(8) manpage for details + +{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication yes + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding ${yesno(has("users"))} +X11Forwarding no +X11DisplayOffset 10 +PrintMotd yes +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +UsePAM yes diff --git a/etc/genshi/ldap.txt b/etc/genshi/ldap.txt new file mode 100644 index 0000000..98d8c83 --- /dev/null +++ b/etc/genshi/ldap.txt @@ -0,0 +1,9 @@ +{% python + if has("db-server") in metadata.groups: + # Pour ceux qui ont la base ou une copie en locale + # on regarde dans celle-ci + ldap_host = "ldap://localhost/" + else: + # Sinon on regarde dans la base principale + ldap_host = "ldap://ldap.adm.crans.org/" +%}\ diff --git a/etc/genshi/postfix_ldap.txt b/etc/genshi/postfix_ldap.txt new file mode 100644 index 0000000..0d97e56 --- /dev/null +++ b/etc/genshi/postfix_ldap.txt @@ -0,0 +1,29 @@ +# -*- coding: utf-8; mode: conf-unix -*- +{# Ce fichier sert de template pour les fichiers /etc/postfix/ldap-*.cf #}\ +{# Pour l'utuliser, il faut l'inclure en instanciant les variables: #}\ +{# query: requete faite a la base #}\ +{# result: le champ a recuperer dans le resultat #}\ +{# comment(optionnel): commentaire en debut de fichier #}\ +# +# Fichier gere par BCfg2 +{% if defined(comment) %}\ +# +# $comment +{% end %}\ + +{% include /var/lib/bcfg2/etc/genshi/ldap.txt %}\ + +# Connexion LDAP +server_host = $ldap_host +search_base = ou=data,dc=crans,dc=org +version = 3 +bind = yes +bind_dn = cn=postfix,dc=crans,dc=org +bind_pw = $ldap_password_readonly + +# Requete faite a la base, %s est remplace +# par l'alias recherche +query_filter = $query + +# Le champ qui nous interresse en particulier +result_attribute = $result diff --git a/etc/genshi/utils.py b/etc/genshi/utils.py new file mode 100644 index 0000000..1311ed8 --- /dev/null +++ b/etc/genshi/utils.py @@ -0,0 +1,44 @@ +# -*- mode: python; coding: utf-8 -*- +# +# utils.py +# -------- +# +# Copyright (C) 2007 Jeremie Dimino +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This file is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA. + +# Ce fichier contient des definitions de variables et fonctions qui +# peuvent etre utiles dans la plupart des templates du crans. + +# Le nom d'hote court, la partie avant le premier '.' +hostname = metadata.hostname.split('.',1)[0] + +# Le nom d'hote sur le vlan public +pubhostname = hostname + ".crans.org" + +# Le nom d'hote sur le vlan +admhostname = hostname + ".adm.crans.org" + +def yesno(b): + if b: + return "yes" + else: + return "no" + +def onoff(b): + if b: + return "on" + else: + return "off" diff --git a/etc/genshi/utils.txt b/etc/genshi/utils.txt new file mode 100644 index 0000000..40c6d58 --- /dev/null +++ b/etc/genshi/utils.txt @@ -0,0 +1,9 @@ +{# Definitions utiles pour les templates #}\ +{% python + import os + os.sys.path.append('/var/lib/bcfg2/etc/genshi') + from utils import * + + def has(group): + return group in metadata.groups +%}\