def opendkim():
check_root()
config = get_config()['general']
domain = config['domain']
user = config['docker_user']
package_list = ['opendkim', 'opendkim-tools']
install_packages(package_list)
Path("/var/log/postfix").mkdir(parents=True, exist_ok=True)
Path("/var/log/dovecot").mkdir(parents=True, exist_ok=True)
os.system("chmod -R 770 /etc/opendkim")
os.system(f"usermod -aG opendkim {user}")
os.system(
f"opendkim-genkey -b 2048 -r -h rsa-sha256 -d {domain} -s /etc/opendkim/mail"
)
shutil.move("/etc/opendkim/mail.private", "/etc/opendkim/mail")
uid = pwd.getpwnam("opendkim").pw_uid
gid = grp.getgrnam("opendkim").gr_gid
chown_recursive("/etc/opendkim", uid, gid)
os.system("chmod -R go-rwx /etc/opendkim")
print(
"Please add the DNS entry listed in /etc/opendkim/mail.txt to your DNS"
)
def clean():
check_root()
files = [i for i in os.listdir(service_enabled_path) if os.path.isfile(os.path.join(service_enabled_path,i)) and 'libertas@' in i]
if not files:
if os.path.exists(service_file_target):
os.remove(service_file_target)
else:
print("There are still services enabled, please disable first.")
def install(target):
check_root()
if not os.path.exists(service_file_target):
check_rendered(service_file_source)
shutil.copyfile(service_file_source, service_file_target)
drop_privileges()
command = 'systemctl --user enable libertas@' + target
os.system(command)
def dependencies():
check_root()
package_list = [
"docker-compose", "python3-toml", "python3-jinja2", "uidmap"
]
os.system("modprobe bridge")
os.system("modprobe overlay permit_mounts_in_userns=1")
with open('/etc/sysctl.conf', 'a') as file:
file.write('net.ipv4.ip_unprivileged_port_start=0\n')
os.system("sysctl --system")
user_name = get_config()['general']['docker_user']
os.system(f"loginctl enable-linger {user_name}")
install_packages(package_list)
drop_privileges()
install_docker_rootless()
def letsencrypt():
check_root()
package_list = ['certbot']
domain = get_config()['general']['domain']
install_packages(package_list)
os.system(f"certbot certonly -d {domain}")
with open("/var/spool/cron/crontabs/root", 'a') as file:
file.write("0 4 1 * * letsencrypt renew")
# TODO: people will be happier when this is more strict
# TODO: fix UID in service template
# TODO: fix dmarc permissions
# TODO: fix fail2ban
os.system("chmod -R 777 /etc/letsencrypt/live")
os.system("chmod -R 777 /etc/letsencrypt/archive")
def fail2ban():
check_root()
package_list = ['fail2ban']
install_packages(package_list)
containers = ['dovecot', 'postfix']
for item in containers:
copy(f"./extras/fail2ban/fail2ban-{item}-action.conf",
"/etc/fail2ban/action.d/")
copy(f"./extras/fail2ban/fail2ban-{item}-filter.conf",
"/etc/fail2ban/filter.d/")
copy("./extras/fail2ban/jail.local", "/etc/fail2ban/")
ssh_port = input("ssh port?")
with fileinput.FileInput("/etc/fail2ban/jail.local",
inplace=True,
backup='.bak') as file:
for line in file:
line.replace("port = ssh", "port = " + ssh_port)
def bcrypt():
check_root()
package_list = ['python3-passlib', 'python3-bcrypt']
install_packages(package_list)