Retrait du plugin Genshi

Il fallait mettre la version svn et modifier bcfg2 pour avoir les trucs bien
mais maintenant on peut faire mieux avec le plugin Python donc ça sert à rien
de s'embeter.

darcs-hash:20080410185335-c41ad-37542a59af3f3506d5b7b4f11164742deae6d83b.gz

Python/etc/bcfg2.conf

@@ -8,7 +8,7 @@ if has("bcfg2-server"):
     @[server]
     %repository = "/var/lib/bcfg2"
     %structures = "Bundler,Base"
-    %generators = "SSHbase,Cfg,TGenshi,Rules,Python"
+    %generators = "SSHbase,Cfg,Rules,Python"
     %svn = "no"
 
 @[statistics]

Python/etc/crans/secrets/secrets.py

@@ -0,0 +1 @@
+print file("/etc/crans/secrets/secrets.py").read()

Python/etc/postfix/master.cf

@@ -0,0 +1,181 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("ip")
+
+header("Fichier de configuration des démons de postfix.")
+
+@# +------------------------+
+@# | Utils pour le template |
+@# +------------------------+
+
+# Indique si c'est un MX principal ou secondaire.
+main = has("mail-mx-main")
+secondary = has("mail-mx-secondary")
+# Indique si c'est un MX public, par exemple le serveur
+# des adherents est utilise uniquement en interne
+public = has("mail-mx-public")
+
+# Si vrai alors delivre localement les mails des adherents.
+users = has("users")
+
+pub = pubip()
+adm = admip()
+loc = "127.0.0.1"
+
+@# Postfix master process configuration file.  Each line describes how
+@# a mailer component program should be run. The fields that make up
+@# each line are described below. A "-" field value requests that a
+@# default value be used for that field.
+@#
+@# Service: any name that is valid for the specified transport type
+@# (the next field).  With INET transports, a service is specified as
+@# host:port.  The host part (and colon) may be omitted. Either host
+@# or port may be given in symbolic form or in numeric form. Examples
+@# for the SMTP server:  localhost:smtp receives mail via the loopback
+@# interface only; 10025 receives mail on port 10025.
+@#
+@# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
+@# sockets, "fifo" for named pipes.
+@#
+@# Private: whether or not access is restricted to the mail system.
+@# Default is private service.  Internet (inet) sockets can't be private.
+@#
+@# Unprivileged: whether the service runs with root privileges or as
+@# the owner of the Postfix system (the owner name is controlled by the
+@# mail_owner configuration variable in the main.cf file).
+@#
+@# Chroot: whether or not the service runs chrooted to the mail queue
+@# directory (pathname is controlled by the queue_directory configuration
+@# variable in the main.cf file). Presently, all Postfix daemons can run
+@# chrooted, except for the pipe, virtual and local delivery daemons.
+@# The files in the examples/chroot-setup subdirectory describe how
+@# to set up a Postfix chroot environment for your type of machine.
+@#
+@# Wakeup time: automatically wake up the named service after the
+@# specified number of seconds. A ? at the end of the wakeup time
+@# field requests that wake up events be sent only to services that
+@# are actually being used.  Specify 0 for no wakeup. Presently, only
+@# the pickup, queue manager and flush daemons need a wakeup timer.
+@#
+@# Max procs: the maximum number of processes that may execute this
+@# service simultaneously. Default is to use a globally configurable
+@# limit (the default_process_limit configuration parameter in main.cf).
+@# Specify 0 for no process count limit.
+@#
+@# Command + args: the command to be executed. The command name is
+@# relative to the Postfix program directory (pathname is controlled by
+@# the program_directory configuration variable). Adding one or more
+@# -v options turns on verbose logging for that service; adding a -D
+@# option enables symbolic debugging (see the debugger_command variable
+@# in the main.cf configuration file). See individual command man pages
+@# for specific command-line options, if any.
+@#
+@# In order to use the "uucp" message tranport below, set up entries
+@# in the transport table.
+@#
+@# In order to use the "cyrus" message transport below, configure it
+@# in main.cf as the mailbox_transport.
+@#
+@# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
+@# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
+@#
+@# DO NOT CHANGE THE ZERO PROCESS LIMIT FOR CLEANUP/BOUNCE/DEFER OR
+@# POSTFIX WILL BECOME STUCK UP UNDER HEAVY LOAD
+@#
+@# DO NOT CHANGE THE ONE PROCESS LIMIT FOR PICKUP/QMGR OR POSTFIX WILL
+@# DELIVER MAIL MULTIPLE TIMES.
+@#
+@# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
+@#
+@# ==========================================================================
+@# service type	private	unpriv	chroot	wakeup	maxproc	command + args
+@# 		(yes)	(yes)	(yes)	(never)	(50)
+@# ==========================================================================
+if main:
+    @smtp      inet  n       -       -       -       -       smtpd
+    @smtps     inet  n       -       -       -       -       smtpd
+    @  -o smtpd_tls_wrappermode=yes
+    @  -o smtpd_sasl_auth_enable=yes
+    @  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+else:
+    print pub + ":smtp inet	n	-	-	-	-	smtpd"
+    if not public:
+        print "  -o content_filter=lmtp:[amavis.adm.crans.org]:10024"
+    print loc + ":smtp inet	n	-	-	-	-	smtpd"
+#628	  inet	n	-	-	-	-	qmqpd
+@pickup   fifo	n	-	-	60	1	pickup
+@cleanup  unix	n	-	-	-	0	cleanup
+@qmgr     fifo	n	-	-	300	1	qmgr
+#qmgr	  fifo	n	-	-	300	1	nqmgr
+@rewrite	  unix	-	-	-	-	-	trivial-rewrite
+@bounce	  unix	-	-	-	-	0	bounce
+@defer	  unix	-	-	-	-	0	bounce
+@trace	  unix	-	-	-	-	0	bounce
+@verify	  unix	-	-	-	-	1	verify
+@flush	  unix	n	-	-	1000?	0	flush
+@proxymap unix	-	-	n	-	-	proxymap
+@smtp	  unix	-	-	-	-	-	smtp
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+@relay     unix  -       -       -       -       -       smtp
+if main:
+    @  -o fallback_relay=
+@showq     unix	n	-	-	-	-	showq
+@error     unix	-	-	-	-	-	error
+@discard   unix  -       -       -       -       -       discard
+@local	  unix	-	n	n	-	-	local
+@virtual	  unix	-	n	n	-	-	virtual
+@lmtp	  unix	-	-	n	-	5	lmtp
+@anvil     unix  -       -       -       -       1       anvil
+@scache	  unix	-	-	-	-	1	scache
+@#
+@# Interfaces to non-Postfix software. Be sure to examine the manual
+@# pages of the non-Postfix software to find out what options it wants.
+@# The Cyrus deliver program has changed incompatibly.
+@#
+@cyrus	  unix	-	n	n	-	-	pipe
+@  flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m $${extension} $${user}
+@uucp	  unix	-	n	n	-	-	pipe
+@  flags=Fqhu user=uucp argv=uux -r -n -z -a$$sender - $$nexthop!rmail ($$recipient)
+@ifmail    unix  -       n       n       -       -       pipe
+@  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $$nexthop ($$recipient)
+@bsmtp     unix  -       n       n       -       -       pipe
+@  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$$nexthop -f$$sender $$recipient
+@scalemail-backend unix	-	n	n	-	2	pipe
+@  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $${nexthop} $${user} $${extension}
+
+@# only used by postfix-tls
+@smtps	  inet	n	-	-	-	-	smtpd -o smtpd_tls_wrappermode=yes
+@587	  inet	n	-	-	-	-	smtpd -o smtpd_enforce_tls=yes
+@tlsmgr    unix  -       -       n       300     1       tlsmgr
+
+if users:
+    @# Smtp pour la reception des mails venant des autres MX
+    @# a verifier que ca vient du vlan adm.
+    print adm + ":smtp inet	n	-	n	-	-	smtpd"
+    @    -o content_filter=
+    @    -o local_recipient_maps=
+    @    -o smtpd_helo_restrictions=
+    @    -o smtpd_client_restrictions=
+    @    -o smtpd_sender_restrictions=
+    @    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    @    -o mynetworks=10.231.136.0/24
+if main:
+    @# Smtp pour la recuperation en local des mails d'amavis
+    print loc + ":10025 inet n    -       n       -       -     smtpd"
+    @      -o content_filter=
+    @      -o smtpd_delay_reject=no
+    @      -o smtpd_client_restrictions=permit_mynetworks,reject
+    @      -o smtpd_helo_restrictions=
+    @      -o smtpd_sender_restrictions=
+    @      -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    @      -o smtpd_data_restrictions=reject_unauth_pipelining
+    @      -o smtpd_end_of_data_restrictions=
+    @      -o smtpd_restriction_classes=
+    @      -o mynetworks=127.0.0.0/8
+    @      -o smtpd_error_sleep_time=0
+    @      -o smtpd_soft_error_limit=1001
+    @      -o smtpd_hard_error_limit=1000
+    @      -o smtpd_client_connection_count_limit=0
+    @      -o smtpd_client_connection_rate_limit=0
+    @      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
+    @      -o local_header_rewrite_clients=

Python/etc/ssh/sshd_config

@@ -0,0 +1,80 @@
+# -*- coding: utf-8; mode: python -*-
+
+include("mode/space")
+
+header("Configuration du serveur ssh")
+
+@# What ports, IPs and protocols we listen for
+@Port 22
+@# Use these options to restrict which interfaces/protocols sshd will bind to
+@#ListenAddress ::
+@#ListenAddress 0.0.0.0
+@Protocol 2
+@# HostKeys for protocol version 2
+@HostKey /etc/ssh/ssh_host_rsa_key
+@HostKey /etc/ssh/ssh_host_dsa_key
+@#Privilege Separation is turned on for security
+@UsePrivilegeSeparation yes
+
+@# Lifetime and size of ephemeral version 1 server key
+@KeyRegenerationInterval 3600
+@ServerKeyBits 768
+
+@# Logging
+@SyslogFacility AUTH
+@LogLevel INFO
+
+@# Authentication:
+@LoginGraceTime 120
+@PermitRootLogin yes
+@StrictModes yes
+
+@RSAAuthentication yes
+@PubkeyAuthentication yes
+@#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+@# Don't read the user's ~/.rhosts and ~/.shosts files
+@IgnoreRhosts yes
+@# For this to work you will also need host keys in /etc/ssh_known_hosts
+@RhostsRSAAuthentication no
+@# similar for protocol version 2
+@HostbasedAuthentication no
+@# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+@#IgnoreUserKnownHosts yes
+
+@# To enable empty passwords, change to yes (NOT RECOMMENDED)
+@PermitEmptyPasswords no
+
+@# Change to yes to enable challenge-response passwords (beware issues with
+@# some PAM modules and threads)
+@ChallengeResponseAuthentication yes
+
+@# Change to no to disable tunnelled clear text passwords
+@PasswordAuthentication no
+
+@# Kerberos options
+@#KerberosAuthentication no
+@#KerberosGetAFSToken no
+@#KerberosOrLocalPasswd yes
+@#KerberosTicketCleanup yes
+
+@# GSSAPI options
+@#GSSAPIAuthentication no
+@#GSSAPICleanupCredentials yes
+
+%X11Forwarding yesno(has("users"))
+@X11DisplayOffset 10
+@PrintMotd yes
+@PrintLastLog yes
+@TCPKeepAlive yes
+@#UseLogin no
+
+@#MaxStartups 10:30:60
+@#Banner /etc/issue.net
+
+@# Allow client to pass locale environment variables
+@AcceptEnv LANG LC_*
+
+@Subsystem sftp /usr/lib/openssh/sftp-server
+
+@UsePAM yes