forked from msimerson/Mail-Toaster-6
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprovision-base.sh
executable file
·302 lines (253 loc) · 6.94 KB
/
provision-base.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
#!/bin/sh
# shellcheck disable=1091
. mail-toaster.sh || exit
create_base_filesystem()
{
if [ -e "$BASE_MNT/dev/null" ];
then
echo "unmounting $BASE_MNT/dev"
umount "$BASE_MNT/dev" || exit
fi
if zfs_filesystem_exists "$BASE_VOL";
then
echo "$BASE_VOL already exists"
return
fi
zfs_create_fs "$BASE_VOL"
}
freebsd_update()
{
tell_status "apply FreeBSD security updates to base jail"
sed -i .bak -e 's/^Components.*/Components world/' "$BASE_MNT/etc/freebsd-update.conf"
freebsd-update -b "$BASE_MNT" -f "$BASE_MNT/etc/freebsd-update.conf" fetch install
}
install_freebsd()
{
if [ -f "$BASE_MNT/COPYRIGHT" ]; then
echo "FreeBSD already installed"
return
fi
if [ -n "$USE_BSDINSTALL" ]; then
export BSDINSTALL_DISTSITE;
BSDINSTALL_DISTSITE="$FBSD_MIRROR/pub/FreeBSD/releases/$(uname -m)/$(uname -m)/$FBSD_REL_VER"
bsdinstall jail "$BASE_MNT"
else
stage_fbsd_package base "$BASE_MNT"
fi
}
install_ssmtp()
{
tell_status "installing ssmtp"
stage_pkg_install ssmtp || exit
tell_status "configuring ssmtp"
cp "$BASE_MNT/usr/local/etc/ssmtp/revaliases.sample" \
"$BASE_MNT/usr/local/etc/ssmtp/revaliases" || exit
sed -e "/^root=/ s/postmaster/postmaster@$TOASTER_MAIL_DOMAIN/" \
-e "/^mailhub=/ s/=mail/=vpopmail/" \
-e "/^rewriteDomain=/ s/=\$/=$TOASTER_MAIL_DOMAIN/" \
"$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf.sample" \
> "$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf" || exit
tee "$BASE_MNT/etc/mail/mailer.conf" <<EO_MAILER_CONF
sendmail /usr/local/sbin/ssmtp
send-mail /usr/local/sbin/ssmtp
mailq /usr/local/sbin/ssmtp
newaliases /usr/local/sbin/ssmtp
hoststat /usr/bin/true
purgestat /usr/bin/true
EO_MAILER_CONF
}
configure_syslog()
{
tell_status "forwarding syslog to host"
tee "$BASE_MNT/etc/syslog.conf" <<EO_SYSLOG
*.* @syslog
EO_SYSLOG
tell_status "disabling newsyslog"
sysrc -f "$BASE_MNT/etc/rc.conf" newsyslog_enable=NO
sed -i .bak \
-e '/^0.*newsyslog/ s/^0/#0/' \
"$BASE_MNT/etc/crontab"
}
disable_syslog()
{
tell_status "disabling syslog"
sysrc -f "$BASE_MNT/etc/rc.conf" newsyslog_enable=NO syslogd_enable=NO
sed -i .bak \
-e '/^0.*newsyslog/ s/^0/#0/' \
"$BASE_MNT/etc/crontab"
}
disable_root_password()
{
if ! grep -q '^root::' "$BASE_MNT/etc/master.passwd"; then
return
fi
# prevent a nightly email notice about the empty root password
tell_status "disabling passwordless root account"
sed -i .bak -e 's/^root::/root:*:/' "$BASE_MNT/etc/master.passwd"
stage_exec pwd_mkdb /etc/master.passwd || exit
}
disable_cron_jobs()
{
if grep -q '^1.*adjkerntz' "$BASE_MNT/etc/crontab"; then
tell_status "cron jobs already configured"
return
fi
tell_status "disabling adjkerntz, save-entropy, & atrun"
# nobody uses atrun, safe-entropy is done by the host, and
# the jail doesn't have permission to run adjkerntz.
sed -i .bak \
-e '/^1.*adjkerntz/ s/^1/#1/' \
-e '/^\*.*atrun/ s/^\*/#*/' \
-e '/^\*.*entropy/ s/^\*/#*/' \
"$BASE_MNT/etc/crontab" || exit
echo "done"
}
configure_ssl_dirs()
{
mkdir "$BASE_MNT/etc/ssl/certs" "$BASE_MNT/etc/ssl/private"
chmod o-r "$BASE_MNT/etc/ssl/private"
}
configure_make_conf() {
local _make="$BASE_MNT/etc/make.conf"
if grep -qs WRKDIRPREFIX "$_make"; then
return
fi
tell_status "setting base jail make.conf variables"
tee -a "$_make" <<EO_MAKE_CONF
WITH_PKGNG=yes
WRKDIRPREFIX?=/tmp/portbuild
EO_MAKE_CONF
}
configure_base()
{
if [ ! -d "$BASE_MNT/usr/ports" ]; then
mkdir "$BASE_MNT/usr/ports" || exit
fi
tell_status "adding base jail resolv.conf"
cp /etc/resolv.conf "$BASE_MNT/etc" || exit
tell_status "setting base jail timezone (to hosts)"
cp /etc/localtime "$BASE_MNT/etc" || exit
configure_make_conf
sysrc -f "$BASE_MNT/etc/rc.conf" \
hostname=base \
cron_flags='$cron_flags -J 15' \
syslogd_flags="-s -cc" \
sendmail_enable=NONE \
update_motd=NO
configure_ssl_dirs
disable_cron_jobs
configure_syslog
}
install_bash()
{
tell_status "installing bash"
stage_pkg_install bash || exit
stage_exec chpass -s /usr/local/bin/bash
local _profile="$BASE_MNT/root/.bash_profile"
if [ -f "$_profile" ]; then
return
fi
tee -a "$_profile" <<'EO_BASH_PROFILE'
export HISTCONTROL=erasedups
export HISTIGNORE="&:[bf]g:exit"
shopt -s cdspell
bind Space:magic-space
alias h="history 25"
alias ls="ls -FG"
alias ll="ls -alFG"
EO_BASH_PROFILE
}
config_bourne_shell()
{
tell_status "making bourne sh more comfy"
local _profile=$BASE_MNT/root/.profile
local _bconf='
alias ls="ls -FG"
alias ll="ls -alFG"
PS1="$(whoami)@$(hostname -s):\\w # "
'
grep -q PS1 "$_profile" || echo "$_bconf" | tee -a "$_profile"
grep -q PS1 /root/.profile || echo "$_bconf" | tee -a /root/.profile
}
install_periodic_conf()
{
tell_status "installing /etc/periodic.conf"
tee "$BASE_MNT/etc/periodic.conf" <<EO_PERIODIC
# periodic.conf tuned for periodic inside jails
# increase the signal, decrease the noise
# some versions of FreeBSD bark b/c these are defined in
# /etc/defaults/periodic.conf and do not exist. Hush.
daily_local=""
weekly_local=""
monthly_local=""
# in case /etc/aliases isn't set up properly
daily_output="postmaster@$TOASTER_MAIL_DOMAIN"
weekly_output="postmaster@$TOASTER_MAIL_DOMAIN"
monthly_output="postmaster@$TOASTER_MAIL_DOMAIN"
security_show_success="NO"
security_show_info="YES"
security_status_pkgaudit_enable="YES"
security_status_tcpwrap_enable="YES"
# These are redundant within a jail
security_status_chksetuid_enable="NO"
security_status_neggrpperm_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_ipfwdenied_enable="NO"
security_status_pfdenied_enable="NO"
security_status_kernelmsg_enable="NO"
daily_accounting_enable="NO"
daily_accounting_compress="YES"
daily_clean_disks_enable="YES"
daily_clean_disks_verbose="NO"
daily_clean_hoststat_enable="NO"
daily_clean_tmps_enable="YES"
daily_clean_tmps_verbose="NO"
daily_news_expire_enable="NO"
daily_show_success="NO"
daily_show_info="NO"
daily_show_badconfig="YES"
daily_status_disks_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="YES"
daily_status_mailq_enable="NO"
daily_status_network_enable="NO"
daily_status_rwho_enable="NO"
daily_submit_queuerun="NO"
weekly_accounting_enable="NO"
weekly_show_success="NO"
weekly_show_info="NO"
weekly_show_badconfig="YES"
weekly_whatis_enable="NO"
monthly_accounting_enable="NO"
monthly_show_success="NO"
monthly_show_info="NO"
monthly_show_badconfig="YES"
EO_PERIODIC
}
install_base()
{
tell_status "installing packages desired in every jail"
stage_pkg_install pkg vim-lite ca_root_nss || exit
stage_exec newaliases || exit
if [ "$BOURNE_SHELL" = "bash" ]; then
install_bash
fi
install_ssmtp
disable_root_password
install_periodic_conf
}
zfs_snapshot_exists "$BASE_SNAP" && exit 0
jail -r stage 2>/dev/null
create_base_filesystem
install_freebsd
freebsd_update
configure_base
config_bourne_shell
start_staged_jail base "$BASE_MNT" || exit
install_base
jail -r stage
umount "$BASE_MNT/dev"
rm -rf "$BASE_MNT/var/cache/pkg/*"
echo "zfs snapshot ${BASE_SNAP}"
zfs snapshot "${BASE_SNAP}" || exit
proclaim_success base