Exemplo n.º 1
0
def bootstrap(admin=None,
    keyfile=None,
    primary_ip=None):
    """ assuming we have ssh access as root sets up permanent ssh access, creates the admin user with
    ssh access and sudo privileges, then shuts out root login again.

    admin: username for the admin account, defaults to your local username
    keyfile: full path to your public SSH key, defaults to ~/.ssh/identity.pub
    primary_ip: the IP address for which to configure the jailhost, can be omitted if the host is given
        as an IP address with the -H parameter
    """
    # force user to root
    orig_user = env['user']
    env['user'] = '******'
    # check for admin user and key:
    if admin is None:
        admin = env['local_user']
    if keyfile is None:
        keyfile = path.expanduser("~/.ssh/identity.pub")
    if not path.exists(keyfile):
        sys.exit("No such keyfile '%s'" % keyfile)

    pkg_info = run("pkg_info")
    with settings(hide("everything"), warn_only=True):
        user_info = run("pw usershow %s" % admin)

    if primary_ip is None and is_ip.match(env['host']):
        primary_ip = env['host']

    if primary_ip is None:
        warn("No primary IP address specified!")
    else:
        run("grep -v ListenAddress /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp")
        run("echo 'ListenAddress %s' >> /etc/ssh/sshd_config.tmp" % primary_ip)
        run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak")
        run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config")
    # prevent syslogd listening on any addresses (to avoid warnings at jail startup)
    run("echo syslogd_flags='-ss' >> /etc/rc.conf")
    # enable ezjail
    run("echo ezjail_enable='YES' >> /etc/rc.conf")
    # create admin user
    if "sudo" not in pkg_info:
        puts("Installing sudo")
        run("pkg_add -r sudo")
    if "no such user" in user_info:
        puts("Creating admin user %s" % admin)
        run("pw useradd -n %(admin)s -u 1001 -m -d /home/%(admin)s -G wheel" % dict(admin=admin))
        ssh_config = path.join('/', 'usr', 'home', admin, '.ssh')
        run("mkdir -p %s" % ssh_config)
        run("chown -R %s %s" % (admin, ssh_config))
        remote_keyfile = path.join(ssh_config, 'authorized_keys')
        put(keyfile, remote_keyfile)
        run("echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /usr/local/etc/sudoers")
    else:
        puts("Not touching existing user %s" % admin)

    # disable root login
    puts("Setting up ssh login")
    run("grep -v PermitRootLogin /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp")
    run("echo 'PermitRootLogin no' >> /etc/ssh/sshd_config.tmp")
    run("mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak")
    run("mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config")
    run("echo sshd_enable='YES' >> /etc/rc.conf")
    run("/etc/rc.d/sshd restart")
    puts("You now should be able to login with `ssh %s`" % primary_ip)
    env['user'] = orig_user
def setup(hostname, host_ip=None, pem_file=None):
    """ Sets up a fully functional mail server according to the elektropost
        instructions at http://erdgeist.org/arts/software/elektropost/

        Parameters:

        hostname: FQDN of the mail host, required

        host_ip: IP address of the host, required, if env.host is not an ip address

        pem_file: path to .pem file, will be used for IMAP and webmail, auto-generated,
            if none is  given
    """
    puts("running elektropost setup")
    # upload patches
    from ezjailremote.flavours import elektropost
    local_resource_dir = path.join(path.abspath(path.dirname(elektropost.__file__)))
    remote_patches_dir = "/tmp/ezjailremote.flavours.elektropost/"
    sudo("mkdir -p %s" % remote_patches_dir)
    put(path.join(local_resource_dir, 'patches'), remote_patches_dir, use_sudo=True)
    remote_patches_dir += 'patches'
    # upload ports options
    sudo("mkdir -p /var/db/ports/")
    put(path.join(local_resource_dir, 'server_root/var/db/ports/*'),
        "/var/db/ports/",
        use_sudo=True)

    if host_ip is None and is_ip.match(env['host']):
        host_ip = env['host']
    if host_ip is None:
        warn("No primary IP address specified! Either call using an ip address as "
            "host or explicitly pass one via host_ip")

    # Upload cert
    if pem_file is None:
        pem_file = path.join(local_resource_dir, 'servercert.pem')
        create_self_signed_cert(hostname, pem_file)
    elif not path.exists(pem_file):
        sys.exit("No such .pem '%s'" % pem_file)
    sudo("mkdir -p /var/qmail/control/")
    put(pem_file, "/var/qmail/control/servercert.pem", use_sudo=True)

    # Install qmail
    with cd("/usr/ports/mail/qmail-tls/"):
        sudo("make patch")

    with cd("/var/ports/basejail/usr/ports/mail/qmail-tls/work/qmail-1.03"):
        sudo("patch < %s" % path.join(remote_patches_dir, 'validrcptto.cdb.patch.new'))
        sudo("patch < %s" % path.join(remote_patches_dir, 'qmail-smtpd.c.privacy.patch'))

    with cd("/usr/ports/mail/qmail-tls/"):
        sudo("make install")
    sudo('echo "QMAIL_SLAVEPORT=tls" >> /etc/make.conf')

    # Configure qmail
    sudo("echo %s > /var/qmail/control/me" % hostname)
    sudo('ln -s /var/qmail/boot/qmail-smtpd.rcNG /usr/local/etc/rc.d/qmail-smtpd')
    sudo('ln -s /var/qmail/boot/maildir /usr/local/etc/rc.d/qmail')
    sudo('''echo 'qmailsmtpd_enable="YES"' >> /etc/rc.conf''')
    sudo('''echo 'qmailsmtpd_checkpassword="******"' >> /etc/rc.conf''')
    sudo('cp %s/tcp.smtp /etc/' % remote_patches_dir)
    sudo('tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp')

    # Install vpopmail
    with cd("/usr/ports/mail/vpopmail"):
        sudo("make install")
    sudo("chown vpopmail:vchkpw /usr/local/vpopmail")
    sudo("chmod u+s ~vpopmail/bin/vchkpw")
    sudo("pw user mod vpopmail -s /bin/sh")
    # Configure vpopmail
    sudo("echo %s > /usr/local/vpopmail/etc/defaultdomain" % hostname)

    # Install dovecot
    with cd("/usr/ports/mail/dovecot"):
        sudo("make install")
    sudo('''echo 'dovecot_enable="YES"' >> /etc/rc.conf''')

    # Configure dovecot
    upload_template(path.join(local_resource_dir, 'dovecot.conf'),
        '/usr/local/etc/dovecot.conf',
        context=dict(
            hostname=hostname,
            dovecot_ip=host_ip),
        backup=False,
        use_sudo=True)

    # Install lighty
    with cd("/usr/ports/www/lighttpd"):
        sudo("make install")
    sudo('''echo 'lighttpd_enable="YES"' >> /etc/rc.conf''')
    sudo('touch /var/log/lighttpd.error.log')
    sudo('chown www:www /var/log/lighttpd.error.log')
    sudo('touch /var/log/lighttpd.access.log')
    sudo('chown www:www /var/log/lighttpd.access.log')
    sudo('mkdir /var/run/lighttpd/')
    sudo('chown www:www /var/run/lighttpd')

    # Configure lighty
    sudo("mkdir /usr/local/etc/lighttpd/")
    upload_template(path.join(local_resource_dir, 'lighttpd.conf'),
        '/usr/local/etc/lighttpd/lighttpd.conf',
        context=dict(
            hostname=hostname,
            httpd_ip=host_ip),
        backup=False,
        use_sudo=True)
    sudo("mkdir -p /usr/local/www/data")
    put(path.join(local_resource_dir, 'data/*.*'),
        "/usr/local/www/data/", use_sudo=True)
    upload_template(path.join(local_resource_dir, 'data/index.html'),
        '/usr/local/www/data/index.html',
        context=dict(
            hostname=hostname,
            httpd_ip=host_ip),
        backup=False,
        use_sudo=True)

    # Install squirrelmail
    with cd("/usr/ports/mail/squirrelmail"):
        sudo("make install")

    # Configure squirrelmail
    upload_template(path.join(local_resource_dir, 'config.php'),
        '/usr/local/www/squirrelmail/config/config.php',
        context=dict(
            hostname=hostname,
            httpd_ip=host_ip),
        backup=False,
        use_sudo=True)

    # Install qmailadmin / ezmlm-idx
    with cd("/usr/ports/mail/qmailadmin"):
        sudo('make install WITH_SPAM_DETECTION=TRUE SPAM_COMMAND="| /usr/local/bin/spamc -f | /usr/local/bin/maildrop" CGIBINDIR=www/squirrelmail/cgi-bin CGIBINSUBDIR= WEBDATADIR=www/squirrelmail WEBDATASUBDIR=qmailadmin')

    # Install qmailadmin plugin for squirrelmail
    with cd("/usr/ports/mail/squirrelmail-qmailadmin_login-plugin"):
        sudo("make install")

    # Install maildrop
    with cd("/usr/ports/mail/maildrop"):
        sudo("make install")

    # Install the maildrop spam sort magic
    sudo("mv %s /usr/local/etc/maildroprc" % path.join(remote_patches_dir, 'maildroprc'))

    # Install spamassassin
    with cd("/usr/ports/mail/p5-Mail-SpamAssassin"):
        sudo("make install")
    sudo('mkdir -p /usr/local/etc/mail/spamassassin')
    sudo("echo '-d 192.168.0.2' > /usr/local/etc/mail/spamassassin/spamc.conf")