diff --git a/Python/etc/bcfg2.conf b/Python/etc/bcfg2.conf index baf142b..90483f3 100644 --- a/Python/etc/bcfg2.conf +++ b/Python/etc/bcfg2.conf @@ -8,7 +8,7 @@ if has("bcfg2-server"): @[server] %repository = "/var/lib/bcfg2" %structures = "Bundler,Base" - %generators = "SSHbase,Cfg,TGenshi,Rules,Python" + %generators = "SSHbase,Cfg,Rules,Python" %svn = "no" @[statistics] diff --git a/Python/etc/crans/secrets/secrets.py b/Python/etc/crans/secrets/secrets.py new file mode 100644 index 0000000..84e80d3 --- /dev/null +++ b/Python/etc/crans/secrets/secrets.py @@ -0,0 +1 @@ +print file("/etc/crans/secrets/secrets.py").read() diff --git a/Python/etc/postfix/master.cf b/Python/etc/postfix/master.cf new file mode 100644 index 0000000..1e86ae2 --- /dev/null +++ b/Python/etc/postfix/master.cf @@ -0,0 +1,181 @@ +# -*- mode: python; coding: utf-8 -*- + +include("ip") + +header("Fichier de configuration des démons de postfix.") + +@# +------------------------+ +@# | Utils pour le template | +@# +------------------------+ + +# Indique si c'est un MX principal ou secondaire. +main = has("mail-mx-main") +secondary = has("mail-mx-secondary") +# Indique si c'est un MX public, par exemple le serveur +# des adherents est utilise uniquement en interne +public = has("mail-mx-public") + +# Si vrai alors delivre localement les mails des adherents. +users = has("users") + +pub = pubip() +adm = admip() +loc = "127.0.0.1" + +@# Postfix master process configuration file. Each line describes how +@# a mailer component program should be run. The fields that make up +@# each line are described below. A "-" field value requests that a +@# default value be used for that field. +@# +@# Service: any name that is valid for the specified transport type +@# (the next field). With INET transports, a service is specified as +@# host:port. The host part (and colon) may be omitted. Either host +@# or port may be given in symbolic form or in numeric form. Examples +@# for the SMTP server: localhost:smtp receives mail via the loopback +@# interface only; 10025 receives mail on port 10025. +@# +@# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain +@# sockets, "fifo" for named pipes. +@# +@# Private: whether or not access is restricted to the mail system. +@# Default is private service. Internet (inet) sockets can't be private. +@# +@# Unprivileged: whether the service runs with root privileges or as +@# the owner of the Postfix system (the owner name is controlled by the +@# mail_owner configuration variable in the main.cf file). +@# +@# Chroot: whether or not the service runs chrooted to the mail queue +@# directory (pathname is controlled by the queue_directory configuration +@# variable in the main.cf file). Presently, all Postfix daemons can run +@# chrooted, except for the pipe, virtual and local delivery daemons. +@# The files in the examples/chroot-setup subdirectory describe how +@# to set up a Postfix chroot environment for your type of machine. +@# +@# Wakeup time: automatically wake up the named service after the +@# specified number of seconds. A ? at the end of the wakeup time +@# field requests that wake up events be sent only to services that +@# are actually being used. Specify 0 for no wakeup. Presently, only +@# the pickup, queue manager and flush daemons need a wakeup timer. +@# +@# Max procs: the maximum number of processes that may execute this +@# service simultaneously. Default is to use a globally configurable +@# limit (the default_process_limit configuration parameter in main.cf). +@# Specify 0 for no process count limit. +@# +@# Command + args: the command to be executed. The command name is +@# relative to the Postfix program directory (pathname is controlled by +@# the program_directory configuration variable). Adding one or more +@# -v options turns on verbose logging for that service; adding a -D +@# option enables symbolic debugging (see the debugger_command variable +@# in the main.cf configuration file). See individual command man pages +@# for specific command-line options, if any. +@# +@# In order to use the "uucp" message tranport below, set up entries +@# in the transport table. +@# +@# In order to use the "cyrus" message transport below, configure it +@# in main.cf as the mailbox_transport. +@# +@# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS. +@# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL. +@# +@# DO NOT CHANGE THE ZERO PROCESS LIMIT FOR CLEANUP/BOUNCE/DEFER OR +@# POSTFIX WILL BECOME STUCK UP UNDER HEAVY LOAD +@# +@# DO NOT CHANGE THE ONE PROCESS LIMIT FOR PICKUP/QMGR OR POSTFIX WILL +@# DELIVER MAIL MULTIPLE TIMES. +@# +@# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES. +@# +@# ========================================================================== +@# service type private unpriv chroot wakeup maxproc command + args +@# (yes) (yes) (yes) (never) (50) +@# ========================================================================== +if main: + @smtp inet n - - - - smtpd + @smtps inet n - - - - smtpd + @ -o smtpd_tls_wrappermode=yes + @ -o smtpd_sasl_auth_enable=yes + @ -o smtpd_client_restrictions=permit_sasl_authenticated,reject +else: + print pub + ":smtp inet n - - - - smtpd" + if not public: + print " -o content_filter=lmtp:[amavis.adm.crans.org]:10024" + print loc + ":smtp inet n - - - - smtpd" +#628 inet n - - - - qmqpd +@pickup fifo n - - 60 1 pickup +@cleanup unix n - - - 0 cleanup +@qmgr fifo n - - 300 1 qmgr +#qmgr fifo n - - 300 1 nqmgr +@rewrite unix - - - - - trivial-rewrite +@bounce unix - - - - 0 bounce +@defer unix - - - - 0 bounce +@trace unix - - - - 0 bounce +@verify unix - - - - 1 verify +@flush unix n - - 1000? 0 flush +@proxymap unix - - n - - proxymap +@smtp unix - - - - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +@relay unix - - - - - smtp +if main: + @ -o fallback_relay= +@showq unix n - - - - showq +@error unix - - - - - error +@discard unix - - - - - discard +@local unix - n n - - local +@virtual unix - n n - - virtual +@lmtp unix - - n - 5 lmtp +@anvil unix - - - - 1 anvil +@scache unix - - - - 1 scache +@# +@# Interfaces to non-Postfix software. Be sure to examine the manual +@# pages of the non-Postfix software to find out what options it wants. +@# The Cyrus deliver program has changed incompatibly. +@# +@cyrus unix - n n - - pipe +@ flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user} +@uucp unix - n n - - pipe +@ flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient) +@ifmail unix - n n - - pipe +@ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $$nexthop ($$recipient) +@bsmtp unix - n n - - pipe +@ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$$nexthop -f$$sender $$recipient +@scalemail-backend unix - n n - 2 pipe +@ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $${nexthop} $${user} $${extension} + +@# only used by postfix-tls +@smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes +@587 inet n - - - - smtpd -o smtpd_enforce_tls=yes +@tlsmgr unix - - n 300 1 tlsmgr + +if users: + @# Smtp pour la reception des mails venant des autres MX + @# a verifier que ca vient du vlan adm. + print adm + ":smtp inet n - n - - smtpd" + @ -o content_filter= + @ -o local_recipient_maps= + @ -o smtpd_helo_restrictions= + @ -o smtpd_client_restrictions= + @ -o smtpd_sender_restrictions= + @ -o smtpd_recipient_restrictions=permit_mynetworks,reject + @ -o mynetworks=10.231.136.0/24 +if main: + @# Smtp pour la recuperation en local des mails d'amavis + print loc + ":10025 inet n - n - - smtpd" + @ -o content_filter= + @ -o smtpd_delay_reject=no + @ -o smtpd_client_restrictions=permit_mynetworks,reject + @ -o smtpd_helo_restrictions= + @ -o smtpd_sender_restrictions= + @ -o smtpd_recipient_restrictions=permit_mynetworks,reject + @ -o smtpd_data_restrictions=reject_unauth_pipelining + @ -o smtpd_end_of_data_restrictions= + @ -o smtpd_restriction_classes= + @ -o mynetworks=127.0.0.0/8 + @ -o smtpd_error_sleep_time=0 + @ -o smtpd_soft_error_limit=1001 + @ -o smtpd_hard_error_limit=1000 + @ -o smtpd_client_connection_count_limit=0 + @ -o smtpd_client_connection_rate_limit=0 + @ -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters + @ -o local_header_rewrite_clients= diff --git a/Python/etc/ssh/sshd_config b/Python/etc/ssh/sshd_config new file mode 100644 index 0000000..b6be06e --- /dev/null +++ b/Python/etc/ssh/sshd_config @@ -0,0 +1,80 @@ +# -*- coding: utf-8; mode: python -*- + +include("mode/space") + +header("Configuration du serveur ssh") + +@# What ports, IPs and protocols we listen for +@Port 22 +@# Use these options to restrict which interfaces/protocols sshd will bind to +@#ListenAddress :: +@#ListenAddress 0.0.0.0 +@Protocol 2 +@# HostKeys for protocol version 2 +@HostKey /etc/ssh/ssh_host_rsa_key +@HostKey /etc/ssh/ssh_host_dsa_key +@#Privilege Separation is turned on for security +@UsePrivilegeSeparation yes + +@# Lifetime and size of ephemeral version 1 server key +@KeyRegenerationInterval 3600 +@ServerKeyBits 768 + +@# Logging +@SyslogFacility AUTH +@LogLevel INFO + +@# Authentication: +@LoginGraceTime 120 +@PermitRootLogin yes +@StrictModes yes + +@RSAAuthentication yes +@PubkeyAuthentication yes +@#AuthorizedKeysFile %h/.ssh/authorized_keys + +@# Don't read the user's ~/.rhosts and ~/.shosts files +@IgnoreRhosts yes +@# For this to work you will also need host keys in /etc/ssh_known_hosts +@RhostsRSAAuthentication no +@# similar for protocol version 2 +@HostbasedAuthentication no +@# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +@#IgnoreUserKnownHosts yes + +@# To enable empty passwords, change to yes (NOT RECOMMENDED) +@PermitEmptyPasswords no + +@# Change to yes to enable challenge-response passwords (beware issues with +@# some PAM modules and threads) +@ChallengeResponseAuthentication yes + +@# Change to no to disable tunnelled clear text passwords +@PasswordAuthentication no + +@# Kerberos options +@#KerberosAuthentication no +@#KerberosGetAFSToken no +@#KerberosOrLocalPasswd yes +@#KerberosTicketCleanup yes + +@# GSSAPI options +@#GSSAPIAuthentication no +@#GSSAPICleanupCredentials yes + +%X11Forwarding yesno(has("users")) +@X11DisplayOffset 10 +@PrintMotd yes +@PrintLastLog yes +@TCPKeepAlive yes +@#UseLogin no + +@#MaxStartups 10:30:60 +@#Banner /etc/issue.net + +@# Allow client to pass locale environment variables +@AcceptEnv LANG LC_* + +@Subsystem sftp /usr/lib/openssh/sftp-server + +@UsePAM yes diff --git a/TGenshi/etc/crans/secrets/secrets.py/template.txt b/TGenshi/etc/crans/secrets/secrets.py/template.txt deleted file mode 100644 index 6e32225..0000000 --- a/TGenshi/etc/crans/secrets/secrets.py/template.txt +++ /dev/null @@ -1 +0,0 @@ -{% include /etc/crans/secrets/secrets.py %} diff --git a/TGenshi/etc/postfix/master.cf/template.txt b/TGenshi/etc/postfix/master.cf/template.txt deleted file mode 100644 index 3515a0e..0000000 --- a/TGenshi/etc/postfix/master.cf/template.txt +++ /dev/null @@ -1,194 +0,0 @@ -# -*- coding: utf-8; mode: conf-unix -*- -# -# Fichier gere par BCfg2 -# -# Fichier de configuration des demons de postfix. - -{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ - -{# +------------------------+ #}\ -{# | Utils pour le template | #}\ -{# +------------------------+ #}\ -{% python - # Indique si c'est un MX principal ou secondaire. - main = has("mail-mx-main") - secondary = has("mail-mx-secondary") - # Indique si c'est un MX public, par exemple le serveur - # des adherents est utilise uniquement en interne - public = has("mail-mx-public") - - # Si vrai alors delivre localement les mails des adherents. - users = has("users") - - pub = pubhostname - adm = admhostname - loc = "127.0.0.1" -%}\ - -# Postfix master process configuration file. Each line describes how -# a mailer component program should be run. The fields that make up -# each line are described below. A "-" field value requests that a -# default value be used for that field. -# -# Service: any name that is valid for the specified transport type -# (the next field). With INET transports, a service is specified as -# host:port. The host part (and colon) may be omitted. Either host -# or port may be given in symbolic form or in numeric form. Examples -# for the SMTP server: localhost:smtp receives mail via the loopback -# interface only; 10025 receives mail on port 10025. -# -# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain -# sockets, "fifo" for named pipes. -# -# Private: whether or not access is restricted to the mail system. -# Default is private service. Internet (inet) sockets can't be private. -# -# Unprivileged: whether the service runs with root privileges or as -# the owner of the Postfix system (the owner name is controlled by the -# mail_owner configuration variable in the main.cf file). -# -# Chroot: whether or not the service runs chrooted to the mail queue -# directory (pathname is controlled by the queue_directory configuration -# variable in the main.cf file). Presently, all Postfix daemons can run -# chrooted, except for the pipe, virtual and local delivery daemons. -# The files in the examples/chroot-setup subdirectory describe how -# to set up a Postfix chroot environment for your type of machine. -# -# Wakeup time: automatically wake up the named service after the -# specified number of seconds. A ? at the end of the wakeup time -# field requests that wake up events be sent only to services that -# are actually being used. Specify 0 for no wakeup. Presently, only -# the pickup, queue manager and flush daemons need a wakeup timer. -# -# Max procs: the maximum number of processes that may execute this -# service simultaneously. Default is to use a globally configurable -# limit (the default_process_limit configuration parameter in main.cf). -# Specify 0 for no process count limit. -# -# Command + args: the command to be executed. The command name is -# relative to the Postfix program directory (pathname is controlled by -# the program_directory configuration variable). Adding one or more -# -v options turns on verbose logging for that service; adding a -D -# option enables symbolic debugging (see the debugger_command variable -# in the main.cf configuration file). See individual command man pages -# for specific command-line options, if any. -# -# In order to use the "uucp" message tranport below, set up entries -# in the transport table. -# -# In order to use the "cyrus" message transport below, configure it -# in main.cf as the mailbox_transport. -# -# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS. -# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL. -# -# DO NOT CHANGE THE ZERO PROCESS LIMIT FOR CLEANUP/BOUNCE/DEFER OR -# POSTFIX WILL BECOME STUCK UP UNDER HEAVY LOAD -# -# DO NOT CHANGE THE ONE PROCESS LIMIT FOR PICKUP/QMGR OR POSTFIX WILL -# DELIVER MAIL MULTIPLE TIMES. -# -# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (50) -# ========================================================================== -{% choose %}\ -{% when main %}\ -smtp inet n - - - - smtpd -smtps inet n - - - - smtpd - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject -{% end %}\ -{% otherwise %}\ -$pub:smtp inet n - - - - smtpd -{% if not public %}\ - -o content_filter=lmtp:[amavis.adm.crans.org]:10024 -{% end %}\ -$loc:smtp inet n - - - - smtpd -{% end %}\ -{% end %}\ -#628 inet n - - - - qmqpd -pickup fifo n - - 60 1 pickup -cleanup unix n - - - 0 cleanup -qmgr fifo n - - 300 1 qmgr -#qmgr fifo n - - 300 1 nqmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush -proxymap unix - - n - - proxymap -smtp unix - - - - - smtp -{# When relaying mail as backup MX, disable fallback_relay to avoid MX loops #}\ -relay unix - - - - - smtp -{% if main %}\ - -o fallback_relay= -{% end %}\ -showq unix n - - - - showq -error unix - - - - - error -discard unix - - - - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - 5 lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache -# -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# The Cyrus deliver program has changed incompatibly. -# -cyrus unix - n n - - pipe - flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user} -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient) -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $$nexthop ($$recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$$nexthop -f$$sender $$recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $${nexthop} $${user} $${extension} - -# only used by postfix-tls -smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -587 inet n - - - - smtpd -o smtpd_enforce_tls=yes -tlsmgr unix - - n 300 1 tlsmgr - -{% choose %}\ -{% when users %}\ -# Smtp pour la reception des mails venant des autres MX -# a verifier que ca vient du vlan adm. -$adm:smtp inet n - n - - smtpd - -o content_filter= - -o local_recipient_maps= - -o smtpd_helo_restrictions= - -o smtpd_client_restrictions= - -o smtpd_sender_restrictions= - -o smtpd_recipient_restrictions=permit_mynetworks,reject - -o mynetworks=10.231.136.0/24 -{% end %}\ -{% when main %}\ -# Smtp pour la recuperation en local des mails d'amavis -127.0.0.1:10025 inet n - n - - smtpd - -o content_filter= - -o smtpd_delay_reject=no - -o smtpd_client_restrictions=permit_mynetworks,reject - -o smtpd_helo_restrictions= - -o smtpd_sender_restrictions= - -o smtpd_recipient_restrictions=permit_mynetworks,reject - -o smtpd_data_restrictions=reject_unauth_pipelining - -o smtpd_end_of_data_restrictions= - -o smtpd_restriction_classes= - -o mynetworks=127.0.0.0/8 - -o smtpd_error_sleep_time=0 - -o smtpd_soft_error_limit=1001 - -o smtpd_hard_error_limit=1000 - -o smtpd_client_connection_count_limit=0 - -o smtpd_client_connection_rate_limit=0 - -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters - -o local_header_rewrite_clients= -{% end %}\ -{% end %}\ diff --git a/TGenshi/etc/ssh/sshd_config/template.txt b/TGenshi/etc/ssh/sshd_config/template.txt deleted file mode 100644 index d53cf1c..0000000 --- a/TGenshi/etc/ssh/sshd_config/template.txt +++ /dev/null @@ -1,81 +0,0 @@ -# -*- mode: conf -*- -# -# See the sshd(8) manpage for details - -{% include /var/lib/bcfg2/etc/genshi/utils.txt %}\ - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin yes -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication yes - -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding ${yesno(has("users"))} -X11Forwarding no -X11DisplayOffset 10 -PrintMotd yes -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -UsePAM yes