def bootstrap(admin=None, keyfile=None, primary_ip=None): """ assuming we have ssh access as root sets up permanent ssh access, creates the admin user with ssh access and sudo privileges, then shuts out root login again. admin: username for the admin account, defaults to your local username keyfile: full path to your public SSH key, defaults to ~/.ssh/identity.pub primary_ip: the IP address for which to configure the jailhost, can be omitted if the host is given as an IP address with the -H parameter """ # force user to root orig_user = env['user'] env['user'] = '******' # check for admin user and key: if admin is None: admin = env['local_user'] if keyfile is None: keyfile = path.expanduser("~/.ssh/identity.pub") if not path.exists(keyfile): sys.exit("No such keyfile '%s'" % keyfile) pkg_info = run("pkg_info") with settings(hide("everything"), warn_only=True): user_info = run("pw usershow %s" % admin) if primary_ip is None and is_ip.match(env['host']): primary_ip = env['host'] if primary_ip is None: warn("No primary IP address specified!") else: run("grep -v ListenAddress /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp") run("echo 'ListenAddress %s' >> /etc/ssh/sshd_config.tmp" % primary_ip) run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak") run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config") # prevent syslogd listening on any addresses (to avoid warnings at jail startup) run("echo syslogd_flags='-ss' >> /etc/rc.conf") # enable ezjail run("echo ezjail_enable='YES' >> /etc/rc.conf") # create admin user if "sudo" not in pkg_info: puts("Installing sudo") run("pkg_add -r sudo") if "no such user" in user_info: puts("Creating admin user %s" % admin) run("pw useradd -n %(admin)s -u 1001 -m -d /home/%(admin)s -G wheel" % dict(admin=admin)) ssh_config = path.join('/', 'usr', 'home', admin, '.ssh') run("mkdir -p %s" % ssh_config) run("chown -R %s %s" % (admin, ssh_config)) remote_keyfile = path.join(ssh_config, 'authorized_keys') put(keyfile, remote_keyfile) run("echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /usr/local/etc/sudoers") else: puts("Not touching existing user %s" % admin) # disable root login puts("Setting up ssh login") run("grep -v PermitRootLogin /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp") run("echo 'PermitRootLogin no' >> /etc/ssh/sshd_config.tmp") run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak") run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config") run("echo sshd_enable='YES' >> /etc/rc.conf") run("/etc/rc.d/sshd restart") puts("You now should be able to login with `ssh %s`" % primary_ip) env['user'] = orig_user
def setup(hostname, host_ip=None, pem_file=None): """ Sets up a fully functional mail server according to the elektropost instructions at http://erdgeist.org/arts/software/elektropost/ Parameters: hostname: FQDN of the mail host, required host_ip: IP address of the host, required, if env.host is not an ip address pem_file: path to .pem file, will be used for IMAP and webmail, auto-generated, if none is given """ puts("running elektropost setup") # upload patches from ezjailremote.flavours import elektropost local_resource_dir = path.join(path.abspath(path.dirname(elektropost.__file__))) remote_patches_dir = "/tmp/ezjailremote.flavours.elektropost/" sudo("mkdir -p %s" % remote_patches_dir) put(path.join(local_resource_dir, 'patches'), remote_patches_dir, use_sudo=True) remote_patches_dir += 'patches' # upload ports options sudo("mkdir -p /var/db/ports/") put(path.join(local_resource_dir, 'server_root/var/db/ports/*'), "/var/db/ports/", use_sudo=True) if host_ip is None and is_ip.match(env['host']): host_ip = env['host'] if host_ip is None: warn("No primary IP address specified! Either call using an ip address as " "host or explicitly pass one via host_ip") # Upload cert if pem_file is None: pem_file = path.join(local_resource_dir, 'servercert.pem') create_self_signed_cert(hostname, pem_file) elif not path.exists(pem_file): sys.exit("No such .pem '%s'" % pem_file) sudo("mkdir -p /var/qmail/control/") put(pem_file, "/var/qmail/control/servercert.pem", use_sudo=True) # Install qmail with cd("/usr/ports/mail/qmail-tls/"): sudo("make patch") with cd("/var/ports/basejail/usr/ports/mail/qmail-tls/work/qmail-1.03"): sudo("patch < %s" % path.join(remote_patches_dir, 'validrcptto.cdb.patch.new')) sudo("patch < %s" % path.join(remote_patches_dir, 'qmail-smtpd.c.privacy.patch')) with cd("/usr/ports/mail/qmail-tls/"): sudo("make install") sudo('echo "QMAIL_SLAVEPORT=tls" >> /etc/make.conf') # Configure qmail sudo("echo %s > /var/qmail/control/me" % hostname) sudo('ln -s /var/qmail/boot/qmail-smtpd.rcNG /usr/local/etc/rc.d/qmail-smtpd') sudo('ln -s /var/qmail/boot/maildir /usr/local/etc/rc.d/qmail') sudo('''echo 'qmailsmtpd_enable="YES"' >> /etc/rc.conf''') sudo('''echo 'qmailsmtpd_checkpassword="******"' >> /etc/rc.conf''') sudo('cp %s/tcp.smtp /etc/' % remote_patches_dir) sudo('tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp') # Install vpopmail with cd("/usr/ports/mail/vpopmail"): sudo("make install") sudo("chown vpopmail:vchkpw /usr/local/vpopmail") sudo("chmod u+s ~vpopmail/bin/vchkpw") sudo("pw user mod vpopmail -s /bin/sh") # Configure vpopmail sudo("echo %s > /usr/local/vpopmail/etc/defaultdomain" % hostname) # Install dovecot with cd("/usr/ports/mail/dovecot"): sudo("make install") sudo('''echo 'dovecot_enable="YES"' >> /etc/rc.conf''') # Configure dovecot upload_template(path.join(local_resource_dir, 'dovecot.conf'), '/usr/local/etc/dovecot.conf', context=dict( hostname=hostname, dovecot_ip=host_ip), backup=False, use_sudo=True) # Install lighty with cd("/usr/ports/www/lighttpd"): sudo("make install") sudo('''echo 'lighttpd_enable="YES"' >> /etc/rc.conf''') sudo('touch /var/log/lighttpd.error.log') sudo('chown www:www /var/log/lighttpd.error.log') sudo('touch /var/log/lighttpd.access.log') sudo('chown www:www /var/log/lighttpd.access.log') sudo('mkdir /var/run/lighttpd/') sudo('chown www:www /var/run/lighttpd') # Configure lighty sudo("mkdir /usr/local/etc/lighttpd/") upload_template(path.join(local_resource_dir, 'lighttpd.conf'), '/usr/local/etc/lighttpd/lighttpd.conf', context=dict( hostname=hostname, httpd_ip=host_ip), backup=False, use_sudo=True) sudo("mkdir -p /usr/local/www/data") put(path.join(local_resource_dir, 'data/*.*'), "/usr/local/www/data/", use_sudo=True) upload_template(path.join(local_resource_dir, 'data/index.html'), '/usr/local/www/data/index.html', context=dict( hostname=hostname, httpd_ip=host_ip), backup=False, use_sudo=True) # Install squirrelmail with cd("/usr/ports/mail/squirrelmail"): sudo("make install") # Configure squirrelmail upload_template(path.join(local_resource_dir, 'config.php'), '/usr/local/www/squirrelmail/config/config.php', context=dict( hostname=hostname, httpd_ip=host_ip), backup=False, use_sudo=True) # Install qmailadmin / ezmlm-idx with cd("/usr/ports/mail/qmailadmin"): sudo('make install WITH_SPAM_DETECTION=TRUE SPAM_COMMAND="| /usr/local/bin/spamc -f | /usr/local/bin/maildrop" CGIBINDIR=www/squirrelmail/cgi-bin CGIBINSUBDIR= WEBDATADIR=www/squirrelmail WEBDATASUBDIR=qmailadmin') # Install qmailadmin plugin for squirrelmail with cd("/usr/ports/mail/squirrelmail-qmailadmin_login-plugin"): sudo("make install") # Install maildrop with cd("/usr/ports/mail/maildrop"): sudo("make install") # Install the maildrop spam sort magic sudo("mv %s /usr/local/etc/maildroprc" % path.join(remote_patches_dir, 'maildroprc')) # Install spamassassin with cd("/usr/ports/mail/p5-Mail-SpamAssassin"): sudo("make install") sudo('mkdir -p /usr/local/etc/mail/spamassassin') sudo("echo '-d 192.168.0.2' > /usr/local/etc/mail/spamassassin/spamc.conf")