def opendkim():
check_root()
config = get_config()['general']
domain = config['domain']
user = config['docker_user']
package_list = ['opendkim', 'opendkim-tools']
install_packages(package_list)
Path("/var/log/postfix").mkdir(parents=True, exist_ok=True)
Path("/var/log/dovecot").mkdir(parents=True, exist_ok=True)
os.system("chmod -R 770 /etc/opendkim")
os.system(f"usermod -aG opendkim {user}")
os.system(
f"opendkim-genkey -b 2048 -r -h rsa-sha256 -d {domain} -s /etc/opendkim/mail"
)
shutil.move("/etc/opendkim/mail.private", "/etc/opendkim/mail")
uid = pwd.getpwnam("opendkim").pw_uid
gid = grp.getgrnam("opendkim").gr_gid
chown_recursive("/etc/opendkim", uid, gid)
os.system("chmod -R go-rwx /etc/opendkim")
print(
"Please add the DNS entry listed in /etc/opendkim/mail.txt to your DNS"
)
def drop_privileges():
if os.getuid() != 0:
# We're not root so, like, whatever dude
return
# Get the uid/gid from the name
user_name = get_config()['general']['docker_user']
pwnam = pwd.getpwnam(user_name)
# Remove group privileges
os.setgroups([])
# Try setting the new uid/gid
os.setgid(pwnam.pw_gid)
os.setuid(pwnam.pw_uid)
def dependencies():
check_root()
package_list = [
"docker-compose", "python3-toml", "python3-jinja2", "uidmap"
]
os.system("modprobe bridge")
os.system("modprobe overlay permit_mounts_in_userns=1")
with open('/etc/sysctl.conf', 'a') as file:
file.write('net.ipv4.ip_unprivileged_port_start=0\n')
os.system("sysctl --system")
user_name = get_config()['general']['docker_user']
os.system(f"loginctl enable-linger {user_name}")
install_packages(package_list)
drop_privileges()
install_docker_rootless()
def letsencrypt():
check_root()
package_list = ['certbot']
domain = get_config()['general']['domain']
install_packages(package_list)
os.system(f"certbot certonly -d {domain}")
with open("/var/spool/cron/crontabs/root", 'a') as file:
file.write("0 4 1 * * letsencrypt renew")
# TODO: people will be happier when this is more strict
# TODO: fix UID in service template
# TODO: fix dmarc permissions
# TODO: fix fail2ban
os.system("chmod -R 777 /etc/letsencrypt/live")
os.system("chmod -R 777 /etc/letsencrypt/archive")
def exec_sql(container, sql):
config_data = get_config()
container.exec_run("mysql -u root -p" +
config_data['database']['passwords']['root'])