def bootstrap(admin=None,
keyfile=None,
primary_ip=None):
""" assuming we have ssh access as root sets up permanent ssh access, creates the admin user with
ssh access and sudo privileges, then shuts out root login again.
admin: username for the admin account, defaults to your local username
keyfile: full path to your public SSH key, defaults to ~/.ssh/identity.pub
primary_ip: the IP address for which to configure the jailhost, can be omitted if the host is given
as an IP address with the -H parameter
"""
# force user to root
orig_user = env['user']
env['user'] = '******'
# check for admin user and key:
if admin is None:
admin = env['local_user']
if keyfile is None:
keyfile = path.expanduser("~/.ssh/identity.pub")
if not path.exists(keyfile):
sys.exit("No such keyfile '%s'" % keyfile)
pkg_info = run("pkg_info")
with settings(hide("everything"), warn_only=True):
user_info = run("pw usershow %s" % admin)
if primary_ip is None and is_ip.match(env['host']):
primary_ip = env['host']
if primary_ip is None:
warn("No primary IP address specified!")
else:
run("grep -v ListenAddress /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp")
run("echo 'ListenAddress %s' >> /etc/ssh/sshd_config.tmp" % primary_ip)
run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak")
run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config")
# prevent syslogd listening on any addresses (to avoid warnings at jail startup)
run("echo syslogd_flags='-ss' >> /etc/rc.conf")
# enable ezjail
run("echo ezjail_enable='YES' >> /etc/rc.conf")
# create admin user
if "sudo" not in pkg_info:
puts("Installing sudo")
run("pkg_add -r sudo")
if "no such user" in user_info:
puts("Creating admin user %s" % admin)
run("pw useradd -n %(admin)s -u 1001 -m -d /home/%(admin)s -G wheel" % dict(admin=admin))
ssh_config = path.join('/', 'usr', 'home', admin, '.ssh')
run("mkdir -p %s" % ssh_config)
run("chown -R %s %s" % (admin, ssh_config))
remote_keyfile = path.join(ssh_config, 'authorized_keys')
put(keyfile, remote_keyfile)
run("echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /usr/local/etc/sudoers")
else:
puts("Not touching existing user %s" % admin)
# disable root login
puts("Setting up ssh login")
run("grep -v PermitRootLogin /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp")
run("echo 'PermitRootLogin no' >> /etc/ssh/sshd_config.tmp")
run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak")
run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config")
run("echo sshd_enable='YES' >> /etc/rc.conf")
run("/etc/rc.d/sshd restart")
puts("You now should be able to login with `ssh %s`" % primary_ip)
env['user'] = orig_user
def setup(hostname, host_ip=None, pem_file=None):
""" Sets up a fully functional mail server according to the elektropost
instructions at http://erdgeist.org/arts/software/elektropost/
Parameters:
hostname: FQDN of the mail host, required
host_ip: IP address of the host, required, if env.host is not an ip address
pem_file: path to .pem file, will be used for IMAP and webmail, auto-generated,
if none is given
"""
puts("running elektropost setup")
# upload patches
from ezjailremote.flavours import elektropost
local_resource_dir = path.join(path.abspath(path.dirname(elektropost.__file__)))
remote_patches_dir = "/tmp/ezjailremote.flavours.elektropost/"
sudo("mkdir -p %s" % remote_patches_dir)
put(path.join(local_resource_dir, 'patches'), remote_patches_dir, use_sudo=True)
remote_patches_dir += 'patches'
# upload ports options
sudo("mkdir -p /var/db/ports/")
put(path.join(local_resource_dir, 'server_root/var/db/ports/*'),
"/var/db/ports/",
use_sudo=True)
if host_ip is None and is_ip.match(env['host']):
host_ip = env['host']
if host_ip is None:
warn("No primary IP address specified! Either call using an ip address as "
"host or explicitly pass one via host_ip")
# Upload cert
if pem_file is None:
pem_file = path.join(local_resource_dir, 'servercert.pem')
create_self_signed_cert(hostname, pem_file)
elif not path.exists(pem_file):
sys.exit("No such .pem '%s'" % pem_file)
sudo("mkdir -p /var/qmail/control/")
put(pem_file, "/var/qmail/control/servercert.pem", use_sudo=True)
# Install qmail
with cd("/usr/ports/mail/qmail-tls/"):
sudo("make patch")
with cd("/var/ports/basejail/usr/ports/mail/qmail-tls/work/qmail-1.03"):
sudo("patch < %s" % path.join(remote_patches_dir, 'validrcptto.cdb.patch.new'))
sudo("patch < %s" % path.join(remote_patches_dir, 'qmail-smtpd.c.privacy.patch'))
with cd("/usr/ports/mail/qmail-tls/"):
sudo("make install")
sudo('echo "QMAIL_SLAVEPORT=tls" >> /etc/make.conf')
# Configure qmail
sudo("echo %s > /var/qmail/control/me" % hostname)
sudo('ln -s /var/qmail/boot/qmail-smtpd.rcNG /usr/local/etc/rc.d/qmail-smtpd')
sudo('ln -s /var/qmail/boot/maildir /usr/local/etc/rc.d/qmail')
sudo('''echo 'qmailsmtpd_enable="YES"' >> /etc/rc.conf''')
sudo('''echo 'qmailsmtpd_checkpassword="******"' >> /etc/rc.conf''')
sudo('cp %s/tcp.smtp /etc/' % remote_patches_dir)
sudo('tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp')
# Install vpopmail
with cd("/usr/ports/mail/vpopmail"):
sudo("make install")
sudo("chown vpopmail:vchkpw /usr/local/vpopmail")
sudo("chmod u+s ~vpopmail/bin/vchkpw")
sudo("pw user mod vpopmail -s /bin/sh")
# Configure vpopmail
sudo("echo %s > /usr/local/vpopmail/etc/defaultdomain" % hostname)
# Install dovecot
with cd("/usr/ports/mail/dovecot"):
sudo("make install")
sudo('''echo 'dovecot_enable="YES"' >> /etc/rc.conf''')
# Configure dovecot
upload_template(path.join(local_resource_dir, 'dovecot.conf'),
'/usr/local/etc/dovecot.conf',
context=dict(
hostname=hostname,
dovecot_ip=host_ip),
backup=False,
use_sudo=True)
# Install lighty
with cd("/usr/ports/www/lighttpd"):
sudo("make install")
sudo('''echo 'lighttpd_enable="YES"' >> /etc/rc.conf''')
sudo('touch /var/log/lighttpd.error.log')
sudo('chown www:www /var/log/lighttpd.error.log')
sudo('touch /var/log/lighttpd.access.log')
sudo('chown www:www /var/log/lighttpd.access.log')
sudo('mkdir /var/run/lighttpd/')
sudo('chown www:www /var/run/lighttpd')
# Configure lighty
sudo("mkdir /usr/local/etc/lighttpd/")
upload_template(path.join(local_resource_dir, 'lighttpd.conf'),
'/usr/local/etc/lighttpd/lighttpd.conf',
context=dict(
hostname=hostname,
httpd_ip=host_ip),
backup=False,
use_sudo=True)
sudo("mkdir -p /usr/local/www/data")
put(path.join(local_resource_dir, 'data/*.*'),
"/usr/local/www/data/", use_sudo=True)
upload_template(path.join(local_resource_dir, 'data/index.html'),
'/usr/local/www/data/index.html',
context=dict(
hostname=hostname,
httpd_ip=host_ip),
backup=False,
use_sudo=True)
# Install squirrelmail
with cd("/usr/ports/mail/squirrelmail"):
sudo("make install")
# Configure squirrelmail
upload_template(path.join(local_resource_dir, 'config.php'),
'/usr/local/www/squirrelmail/config/config.php',
context=dict(
hostname=hostname,
httpd_ip=host_ip),
backup=False,
use_sudo=True)
# Install qmailadmin / ezmlm-idx
with cd("/usr/ports/mail/qmailadmin"):
sudo('make install WITH_SPAM_DETECTION=TRUE SPAM_COMMAND="| /usr/local/bin/spamc -f | /usr/local/bin/maildrop" CGIBINDIR=www/squirrelmail/cgi-bin CGIBINSUBDIR= WEBDATADIR=www/squirrelmail WEBDATASUBDIR=qmailadmin')
# Install qmailadmin plugin for squirrelmail
with cd("/usr/ports/mail/squirrelmail-qmailadmin_login-plugin"):
sudo("make install")
# Install maildrop
with cd("/usr/ports/mail/maildrop"):
sudo("make install")
# Install the maildrop spam sort magic
sudo("mv %s /usr/local/etc/maildroprc" % path.join(remote_patches_dir, 'maildroprc'))
# Install spamassassin
with cd("/usr/ports/mail/p5-Mail-SpamAssassin"):
sudo("make install")
sudo('mkdir -p /usr/local/etc/mail/spamassassin')
sudo("echo '-d 192.168.0.2' > /usr/local/etc/mail/spamassassin/spamc.conf")
