Migration de Cheetah vers Genshi

darcs-hash:20071207014443-af139-23d9c06fcde1900f67afdf33d277557b44b3f81b.gz
2007-12-07 02:44:43 +01:00 · 2007-12-07 02:44:43 +01:00 · 4ab280aae3
commit 4ab280aae3
parent dff5b4dd5a
19 changed files with 315 additions and 295 deletions
--- a/TCheetah/etc/postfix/ldap-aliases.cf/template
+++ b/TCheetah/etc/postfix/ldap-aliases.cf/template
@ -1,27 +0,0 @@
 # -*- coding: utf-8; mode: conf-unix -*-
 #
 # Fichier gere par BCfg2
 #
 # Recherche des alias dans la base ldap.
 # Connexion LDAP
 #if "db-server" in $metadata.groups
 ## Pour ceux qui ont la base ou une copie en local
 ## on regarde dans celle-ci
 server_host = ldap://localhost/
 #else
 ## Sinon on regarde dans la base principale
 server_host = ldap://ldap.adm.crans.org/
 #endif
 search_base = ou=data,dc=crans,dc=org
 version = 3
 bind = yes
 bind_dn = cn=postfix,dc=crans,dc=org
 bind_pw = f34842fd04aa7f58bc45bb
 # Requete faite a la base, %s est remplace
 # par l'alias recherche
 query_filter = (|(mailAlias=%s)(canonicalAlias=%s))
 # Les alias correspondent a l'adresse du champ suivant
 result_attribute = uid
--- a/TCheetah/etc/postfix/ldap-canonical.cf/template
+++ b/TCheetah/etc/postfix/ldap-canonical.cf/template
@ -1,24 +0,0 @@
 # -*- coding: utf-8; mode: conf-unix -*-
 #
 # Fichier gere par BCfg2
 # Connexion LDAP
 #if "db-server" in $metadata.groups
 ## Pour ceux qui ont la base ou une copie en local
 ## on regarde dans celle-ci
 server_host = ldap://localhost/
 #else
 ## Sinon on regarde dans la base principale
 server_host = ldap://ldap.adm.crans.org/
 #endif
 search_base = ou=data,dc=crans,dc=org
 version = 3
 bind = yes
 bind_dn = cn=postfix,dc=crans,dc=org
 bind_pw = f34842fd04aa7f58bc45bb
 # Requete faite a la base
 query_filter = (&(mail=%s)(canonicalAlias=*))
 # Les compte correspond a l'adresse du champ suivant
 result_attribute = canonicalAlias
--- a/TCheetah/etc/postfix/ldap-sqlgrey.cf/template
+++ b/TCheetah/etc/postfix/ldap-sqlgrey.cf/template
@ -1,26 +0,0 @@
 # -*- coding: utf-8; mode: conf-unix -*-
 #
 # Fichier gere par BCfg2
 #
 # Test si le greylisting est active pour un certain compte.
 # Connexion LDAP
 #if "db-server" in $metadata.groups
 ## Pour ceux qui ont la base ou une copie en local
 ## on regarde dans celle-ci
 server_host = ldap://localhost/
 #else
 ## Sinon on regarde dans la base principale
 server_host = ldap://ldap.adm.crans.org/
 #endif
 search_base = ou=data,dc=crans,dc=org
 version = 3
 bind = yes
 bind_dn = cn=postfix,dc=crans,dc=org
 bind_pw = f34842fd04aa7f58bc45bb
 # Requete faite a la base
 query_filter = (|(uid=%u)(mailAlias=%u)(canonicalAlias=%u))
 # Les alias correspondent à l'adresse du champ suivant
 result_attribute = contourneGreylist
--- a/TCheetah/etc/ssh/sshd_config/template
+++ b/TCheetah/etc/ssh/sshd_config/template
@ -1,82 +0,0 @@
 # -*- mode: conf -*-
 #
 # See the sshd(8) manpage for details
 ## What ports, IPs and protocols we listen for
 Port 22
 ## Use these options to restrict which interfaces/protocols sshd will bind to
 ##ListenAddress ::
 ##ListenAddress 0.0.0.0
 Protocol 2
 ## HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 ##Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 ## Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 768
 ## Logging
 SyslogFacility AUTH
 LogLevel INFO
 ## Authentication:
 LoginGraceTime 120
 PermitRootLogin yes
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
 ##AuthorizedKeysFile	%h/.ssh/authorized_keys
 ## Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 ## For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 ## similar for protocol version 2
 HostbasedAuthentication no
 ## Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 ##IgnoreUserKnownHosts yes
 ## To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 ## Change to yes to enable challenge-response passwords (beware issues with
 ## some PAM modules and threads)
 ChallengeResponseAuthentication yes
 ## Change to no to disable tunnelled clear text passwords
 PasswordAuthentication no
 ## Kerberos options
 ##KerberosAuthentication no
 ##KerberosGetAFSToken no
 ##KerberosOrLocalPasswd yes
 ##KerberosTicketCleanup yes
 ## GSSAPI options
 ##GSSAPIAuthentication no
 ##GSSAPICleanupCredentials yes
 #if "users" in $metadata.groups
 X11Forwarding yes
 #else
 X11Forwarding no
 #endif
 X11DisplayOffset 10
 PrintMotd yes
 PrintLastLog yes
 TCPKeepAlive yes
 ##UseLogin no
 ##MaxStartups 10:30:60
 ##Banner /etc/issue.net
 ## Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 UsePAM yes
--- a/TGenshi/etc/ldap/ldap.conf/template.txt
+++ b/TGenshi/etc/ldap/ldap.conf/template.txt
--- a/TGenshi/etc/postfix/ldap-aliases.cf/info
+++ b/TGenshi/etc/postfix/ldap-aliases.cf/info
@ -0,0 +1,3 @@
 owner: root
 group: root
 perms: 0600
--- a/TGenshi/etc/postfix/ldap-aliases.cf/template.txt
+++ b/TGenshi/etc/postfix/ldap-aliases.cf/template.txt
@ -0,0 +1,5 @@
 {% with comment="Recherche des alias dans la base ldap.";
        query="(|(mailAlias=%s)(canonicalAlias=%s))";
        result="uid" %}\
 {%   include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\
 {% end %}\
--- a/TGenshi/etc/postfix/ldap-canonical.cf/info
+++ b/TGenshi/etc/postfix/ldap-canonical.cf/info
@ -0,0 +1,3 @@
 owner: root
 group: root
 perms: 0600
--- a/TGenshi/etc/postfix/ldap-canonical.cf/template.txt
+++ b/TGenshi/etc/postfix/ldap-canonical.cf/template.txt
@ -0,0 +1,4 @@
 {% with query="(&(mail=%s)(canonicalAlias=*))";
        result="canonicalAlias" %}\
 {%   include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\
 {% end %}\
--- a/TGenshi/etc/postfix/ldap-sqlgrey.cf/info
+++ b/TGenshi/etc/postfix/ldap-sqlgrey.cf/info
@ -0,0 +1,3 @@
 owner: root
 group: root
 perms: 0600
--- a/TGenshi/etc/postfix/ldap-sqlgrey.cf/template.txt
+++ b/TGenshi/etc/postfix/ldap-sqlgrey.cf/template.txt
@ -0,0 +1,5 @@
 {% with comment="Test si le greylisting est active pour un certain compte.";
        query="(|(uid=%u)(mailAlias=%u)(canonicalAlias=%u))";
        result="contourneGreylist" %}\
 {%   include /var/lib/bcfg2/etc/genshi/postfix_ldap.txt %}\
 {% end %}\
--- a/TGenshi/etc/postfix/main.cf/template.txt
+++ b/TGenshi/etc/postfix/main.cf/template.txt
@ -4,53 +4,39 @@
 #
 # Fichier de configuration principal de postfix.
-## On change le style de parsing parceque sinon c'est vraiment relou
+{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\
 #compiler-settings
 cheetahVarStartToken = @
 commentStartToken = %#
 multilineCommentStartToken = %*
 multilineCommentEndToken = *%
 directiveStartToken = %
 directiveEndToken = %
 #end compiler-settings
-%# +------------------------+
+{# +------------------------+ #}\
-%# | Utils pour le template |
+{# | Utils pour le template | #}\
-%# +------------------------+
+{# +------------------------+ #}\
 {% python
    mx = has("mail-mx")
 	# Indique si c'est un MX principal ou secondaire.
 	main = has("mail-mx-main")
 	secondary = has("mail-mx-secondary")
 	# Indique si c'est un MX public, par exemple le serveur
 	# des adherents est utilise uniquement en interne
 	public = has("mail-mx-public")
-%set @mx = "mail-mx" in @metadata.groups
+	# Si vrai alors delivre localement les mails des adherents.
-%# Indique si c'est un MX principal ou secondaire.
+	users = has("users")
 %set @main = "mail-mx-main" in @metadata.groups
 %set @secondary = "mail-mx-secondary" in @metadata.groups
 %# Indique si c'est un MX public, par exemple le serveur
 %# des adherents est utilise uniquement en interne
 %set @public = "mail-mx-public" in @metadata.groups
-%# Si vrai alors delivre localement les mails des adherents.
+	# Si vrai alors passe les mails des ml a mailman
-%set @users = "users" in @metadata.groups
+	manage_ml = has("mailing-list-manager")
-%# Si vrai alors passe les mails des ml a mailman
+	# La base de donnee utilise (pour les mx)
-%set @manage_ml = "mailing-list-manager" in @metadata.groups
+	if has("ldap"):
-
+	    db = "ldap"
-%# La base de donnee utilise
+    elif has("pgsql"):
-%if "ldap" in @metadata.groups
+	    db = "pgsql"
-  %set @db = "ldap"
+%}\
 %elif "pgsql" in @metadata.groups
  %set @db = "pgsql"
 %else
  %raise Exception("aucune base de donne trouvee!")
 %end if
 %set @shorthostname = @metadata.hostname.split('.',1)[0]
 %def yesno(@b): %if @b then yes else no%
 # +------------------+
 # | Variables utiles |
 # +------------------+
 # Definition par securite (sinon il utilise gethostname)
-myhostname = @{shorthostname}.crans.org
+myhostname = ${hostname}.crans.org
 mydomain = crans.org
 # Origine des mails
@ -58,60 +44,60 @@ myorigin = crans.org
 # Reseaux locaux
 mynetworks = 127.0.0.1/8
-%if @mx
+{% if mx %}\
             138.231.136.0/21, 138.231.144.0/21, 138.231.148.0/22
-%end if
+{% end %}\
-%if not @mx
+{%if not mx %}\
 # Ecoute en local uniquement
 inet_interfaces = loopback-only
-%end if
+{% end %}\
-%if @mx
+{% if mx %}\
 # Destinations acceptees
-mydestination = @shorthostname, $myhostname,
+mydestination = $hostname, $$myhostname,
- 	      	localhost, localhost.$mydomain
+ 	      	localhost, localhost.$$mydomain
-  %if @main
+{%   if main %}\
-		$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr,
+		$$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr,
 		install-party.ens-cachan.fr
-  %end if
+{%   end %}\
-  %if @manage_ml
+{%   if manage_ml %}
-    		lists.$mydomain
+    		lists.$$mydomain
-  %end if
+{%   end %}\
-%end if
+{% end %}\
-%if @mx
+{% if mx %}\
 # Domaine relaye par ce MX
-relay_domains = $mydestination,
+relay_domains = $$mydestination,
-  %if @secondary
+{%   if secondary %}\
-		$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr,
+		$$mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr,
 		install-party.ens-cachan.fr
-  %end if
+{%   end %}\
-  %if @public and not @manage_ml
+{%   if public and not manage_ml %}\
-		lists.$mydomain
+		lists.$$mydomain
-  %end if
+{%   end %}\
-%end if
+{% end %}\
-%if not @mx
+{% if not mx %}\
 # Les mails sont envoyes au MX principal
 relayhost = smtp.adm.crans.org
-%end if
+{% end %}\
 # Etre notifie ou non de l'arrive de nouveaux mails
-biff = @yesno(@users)
+biff = ${yesno(users)}
-%if @mx
+{% if mx %}\
 # Pour pouvoir tester sans tout casser, on active les soft bounces.
 # Ca permet aux mails de ne pas etre bounces en cas d'erreur, mais
 # a la place, de renvoyer une erreur non permanente. En production
 # il faut enlever ca.
 soft_bounce = no
-%end if
+{% end %}\
-%if @users
+{% if users %}\
 # On delivre dans des maildir
 mail_spool_directory = /var/mail/
-%end if
+{% end %}\
 # +--------+
 # | Divers |
@ -121,20 +107,21 @@ mail_spool_directory = /var/mail/
 delay_warning_time = 24h
 # Esthetisme
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+smtpd_banner = $$myhostname ESMTP $$mail_name (Debian/GNU)
-%if @mx
+{% choose %}\
 {%   when mx %}\
 # Reecriture des entetes
 canonical_maps = ldap:/etc/postfix/ldap-canonical.cf
-%else
+{%   otherwise %}\
 # Reecriture des entetes: @host.crans.org -> @crans.org
 canonical_maps = regexp:/etc/postfix/canonical
-%end if
+{% end %}\
-%if @mx
+{% if mx %}\
 # Par ou passer (notement pour la distrtibution des adresse locales par bleu)
 transport_maps = hash:/etc/postfix/transport
-%end if
+{% end %}\
 # Une infinite d'adresses mail par personne
 recipient_delimiter = +
@ -145,28 +132,28 @@ recipient_delimiter = +
 # Les fichiers d'alias (pour newaliases)
 alias_database = hash:/etc/postfix/aliases
-%if @manage_ml
+{% if manage_ml %}\
                 hash:/var/lib/mailman/data/aliases
-%end if
+{% end %}\
-alias_maps = $alias_database
+alias_maps = $$alias_database
-%if @mx
+{% if mx %}\
 # Plus les alias dans la base de donnees
 	     ldap:/etc/postfix/ldap-aliases.cf
-%end if
+{% end %}\
-%if @mx
+{% if mx %}\
 # On prend aussi en compte les utilisateurs de /etc/passwd
-local_recipient_maps = $alias_maps unix:passwd.byname
+local_recipient_maps = $$alias_maps unix:passwd.byname
-%end if
+{% end %}\
-%if @mx
+{% if mx %}\
 # Les anciennes ML @crans.org, @crans.ens-cachan.fr -> @lists.crans.org
 virtual_alias_maps = hash:/etc/postfix/virtual
-%end if
+{% end %}\
-%# Pour les non-mx il n'y a plus rien d'interessant jusqu'a la fin
+{# Pour les non-mx il n'y a plus rien d'interessant jusqu'a la fin #}\
-%if @mx
+{% if mx %}\
 # +-------------+
 # | TLS et SASL |
 # +-------------+
@ -195,21 +182,21 @@ smtp_tls_session_cache_database = sdbm:/var/run/smtp_tls_session_cache
 tls_random_source = dev:/dev/urandom
 tls_daemon_random_source = dev:/dev/urandom
-%if @main
+{% if main %}\
 # Authentification SASL pour relayer du mail
 smtpd_sasl_auth_enable = yes
 # Auth que si tls pour eviter des pass en clair sur le reseau
 smtpd_tls_auth_only = yes
-%end if
+{% end %}\
 # +--------------------------+
 # | Filtrages et limitations |
 # +--------------------------+
-%if @main
+{% if main %}\
 # Filtrage sur les sources de connexions
 smtpd_client_restrictions = reject_rbl_client rbl-plus.mail-abuse.org
-%end if
+{% end %}\
 ## Filtrage au MAIL FROM
 # Rejet si le domaine de l'envoyeur n'est pas dans un DNS
@ -220,18 +207,18 @@ smtpd_sender_restrictions = reject_unknown_sender_domain
 smtpd_recipient_restrictions = permit_mynetworks
 # rejette les recipients sans nom de domaine totalement qualifie
                               reject_non_fqdn_recipient
-%if @main
+{% if main %}\
 # permet si le client est authentifie
 			       permit_sasl_authenticated
-%end if
+{% end %}\
 # rejette les destinations non locales
 			       reject_unauth_destination
-%if @public
+{% if public %}\
 # accepte si le champ contourneGreylist de la base est a OK
 			       check_recipient_access ldap:/etc/postfix/ldap-sqlgrey.cf
 # accepte si la greylist est d'accord
 			       check_policy_service inet:127.0.0.1:2501
-%endif
+{% end %}\
 # jette le reste
 # Tailles maximales : 4Mo pour les msgs et 75 pour les mbox
@ -239,20 +226,20 @@ message_size_limit = 4194304
 mailbox_size_limit = 78643000
 # Obligation de specifier le nom de domaine complet
-append_dot_mydomain = @yesno(@secondary)
+append_dot_mydomain = ${yesno(secondary)}
-%if @main
+{% if main %}\
 ## Filtrage AV
 # Amavis + tuning lmtp
 content_filter = lmtp:[amavis.adm.crans.org]:10024
 lmtp_data_done_timeout=1200
 lmtp_send_xforward_command=yes
-%endif
+{% end %}\
 # Pieces jointes
 mime_header_checks = regexp:/etc/postfix/mime_header_checks
-%if not @secondary
+{% if not secondary %}\
 # +----------------------+
 # | Connexion de secours |
 # +----------------------+
@ -260,6 +247,7 @@ mime_header_checks = regexp:/etc/postfix/mime_header_checks
 ### BEGIN RESCUE MODE
 #relayhost = [ultra-adsl.crans.org]:25
 ### END RESCUR MODE
-%endif
+{% end %}\
-%end if
+{# Fin de la conf specifique au mx #}
 {% end %}\
--- a/TGenshi/etc/postfix/master.cf/template.txt
+++ b/TGenshi/etc/postfix/master.cf/template.txt
@ -2,32 +2,25 @@
 #
 # Fichier gere par BCfg2
 #
-# Fichier de configuration des demons de postfix
+# Fichier de configuration des demons de postfix.
-#compiler-settings
+{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\
 cheetahVarStartToken = @
 commentStartToken = %#
 multilineCommentStartToken = %*
 multilineCommentEndToken = *%
 directiveStartToken = %
 directiveEndToken = %
 #end compiler-settings
-%# +------------------------+
+{# +------------------------+ #}\
-%# | Utils pour le template |
+{# | Utils pour le template | #}\
-%# +------------------------+
+{# +------------------------+ #}\
 {% python
    # Indique si c'est un MX principal ou secondaire.
    main = has("mail-mx-main")
    secondary = has("mail-mx-secondary")
    # Indique si c'est un MX public, par exemple le serveur
    # des adherents est utilise uniquement en interne
    public = has("mail-mx-public")
-%# Indique si c'est un MX principal ou secondaire.
+    pub = pubhostname
-%set @main = "mail-mx-main" in @metadata.groups
+    adm = admhostname
-%set @secondary = "mail-mx-secondary" in @metadata.groups
+    loc = "127.0.0.1"
-%# Indique si c'est un MX public, par exemple le serveur
+%}\
 %# des adherents est utilise uniquement en interne
 %set @public = "mail-mx-public" in @metadata.groups
 %set @shorthostname = @metadata.hostname.split('.',1)[0]
 %set @pub = @shorthostname + ".crans.org"
 %set @adm = @shorthostname + ".adm.crans.org"
 %set @loc = "127.0.0.1"
 # Postfix master process configuration file.  Each line describes how
 # a mailer component program should be run. The fields that make up
@ -98,11 +91,11 @@ directiveEndToken = %
 # service type	private	unpriv	chroot	wakeup	maxproc	command + args
 # 		(yes)	(yes)	(yes)	(never)	(50)
 # ==========================================================================
-@pub:smtp inet	n	-	-	-	-	smtpd
+$pub:smtp inet	n	-	-	-	-	smtpd
-%if not @public
+{% if not public %}\
 	-o content_filter=lmtp:[amavis.adm.crans.org]:10024
-%end if
+{% end %}\
-@loc:smtp inet	n	-	-	-	-	smtpd
+$loc:smtp inet	n	-	-	-	-	smtpd
 #628	  inet	n	-	-	-	-	qmqpd
 pickup	  fifo	n	-	-	60	1	pickup
 cleanup	  unix	n	-	-	-	0	cleanup
@ -143,11 +136,11 @@ smtps	  inet	n	-	-	-	-	smtpd -o smtpd_tls_wrappermode=yes
 587	  inet	n	-	-	-	-	smtpd -o smtpd_enforce_tls=yes
 tlsmgr    fifo  -       -       n       300     1       tlsmgr
-%if @main
+{% if main %}\
 # Serveur smtp pour recuperation des mails d'amavis
 # Verifie uniquement que le source viens bien du reseau
 # d'administration
-@adm:smtp inet	n	-	n	-	-	smtpd
+$adm:smtp inet	n	-	n	-	-	smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o smtpd_helo_restrictions=
@ -155,4 +148,4 @@ tlsmgr    fifo  -       -       n       300     1       tlsmgr
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=138.231.144.0/24
-%end if
+{% end %}\
--- a/TGenshi/etc/postfix/transport/template.txt
+++ b/TGenshi/etc/postfix/transport/template.txt
@ -4,21 +4,24 @@
 #
 # Transport des mails.
-#if "mailing-list-manager" in $metadata.groups
+{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\
 {% choose %}\
 {%   when has("mailing-list-manager") %}\
 # Les mailing-listes sont delivrees localement
 lists.crans.org              local
-#else
+{%   otherwise %}\
 lists.crans.org              smtp:[lists.adm.crans.org]
-#end if
+{% end %}\
-#if "news-server" in $metadata.groups
+{% if has("news-server") %}\
 # Le corbeau, c'est ici
 corbeau@crans.org            local
-#end if
+{% end %}\
-#if not "users" in $medatata.groups
+{% if not "users" in $medatata.groups %}\
 # C'est le serveur des adherents qui fait les livraisons des
 # adresses clubs et adherents
 crans.org                    smtp:[users.adm.crans.org]
 crans.ens-cachan.fr          smtp:[users.adm.crans.org]
 install-party.ens-cachan.fr  smtp:[users.adm.crans.org]
 clubs.ens-cachan.fr          smtp:[users.adm.crans.org]
-#end if
+{% end %}\
--- a/TGenshi/etc/ssh/sshd_config/template.txt
+++ b/TGenshi/etc/ssh/sshd_config/template.txt
@ -0,0 +1,81 @@
 # -*- mode: conf -*-
 #
 # See the sshd(8) manpage for details
 {% include /var/lib/bcfg2/etc/genshi/utils.txt %}\
 # What ports, IPs and protocols we listen for
 Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 768
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 # Authentication:
 LoginGraceTime 120
 PermitRootLogin yes
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication yes
 # Change to no to disable tunnelled clear text passwords
 PasswordAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 X11Forwarding ${yesno(has("users"))}
 X11Forwarding no
 X11DisplayOffset 10
 PrintMotd yes
 PrintLastLog yes
 TCPKeepAlive yes
 #UseLogin no
 #MaxStartups 10:30:60
 #Banner /etc/issue.net
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 UsePAM yes
--- a/etc/genshi/ldap.txt
+++ b/etc/genshi/ldap.txt
@ -0,0 +1,9 @@
 {% python
    if has("db-server") in metadata.groups:
        # Pour ceux qui ont la base ou une copie en locale
        # on regarde dans celle-ci
        ldap_host = "ldap://localhost/"
    else:
        # Sinon on regarde dans la base principale
        ldap_host = "ldap://ldap.adm.crans.org/"
 %}\
--- a/etc/genshi/postfix_ldap.txt
+++ b/etc/genshi/postfix_ldap.txt
@ -0,0 +1,29 @@
 # -*- coding: utf-8; mode: conf-unix -*-
 {# Ce fichier sert de template pour les fichiers /etc/postfix/ldap-*.cf #}\
 {# Pour l'utuliser, il faut l'inclure en instanciant les variables:     #}\
 {# query: requete faite a la base                                       #}\
 {# result: le champ a recuperer dans le resultat                        #}\
 {# comment(optionnel): commentaire en debut de fichier                  #}\
 #
 # Fichier gere par BCfg2
 {% if defined(comment) %}\
 #
 # $comment
 {% end %}\
 {% include /var/lib/bcfg2/etc/genshi/ldap.txt %}\
 # Connexion LDAP
 server_host = $ldap_host
 search_base = ou=data,dc=crans,dc=org
 version = 3
 bind = yes
 bind_dn = cn=postfix,dc=crans,dc=org
 bind_pw = $ldap_password_readonly
 # Requete faite a la base, %s est remplace
 # par l'alias recherche
 query_filter = $query
 # Le champ qui nous interresse en particulier
 result_attribute = $result
--- a/etc/genshi/utils.py
+++ b/etc/genshi/utils.py
@ -0,0 +1,44 @@
 # -*- mode: python; coding: utf-8 -*-
 #
 # utils.py
 # --------
 #
 # Copyright (C) 2007 Jeremie Dimino <jeremie@dimino.org>
 #
 # This file is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # This file is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.
 # Ce fichier contient des definitions de variables et fonctions qui
 # peuvent etre utiles dans la plupart des templates du crans.
 # Le nom d'hote court, la partie avant le premier '.'
 hostname = metadata.hostname.split('.',1)[0]
 # Le nom d'hote sur le vlan public
 pubhostname = hostname + ".crans.org"
 # Le nom d'hote sur le vlan
 admhostname = hostname + ".adm.crans.org"
 def yesno(b):
    if b:
        return "yes"
    else:
        return "no"
 def onoff(b):
    if b:
        return "on"
    else:
        return "off"
--- a/etc/genshi/utils.txt
+++ b/etc/genshi/utils.txt
@ -0,0 +1,9 @@
 {# Definitions utiles pour les templates #}\
 {% python
    import os
    os.sys.path.append('/var/lib/bcfg2/etc/genshi')
    from utils import *
    def has(group):
        return group in metadata.groups
 %}\