From f4d5791afb64192c9d248f0f3169bd491f5d0c5d Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 8 Oct 2015 22:46:34 +0200 Subject: [PATCH 01/16] Remove /bin/sh call made redundant by hashbang. --- systemfiles/irssi.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemfiles/irssi.service b/systemfiles/irssi.service index ab7a4f8..537241c 100644 --- a/systemfiles/irssi.service +++ b/systemfiles/irssi.service @@ -6,7 +6,7 @@ Description=irssi screen [Service] Type=forking User=plom -ExecStart=/bin/sh /home/plom/config/bin/screen-irssi.sh +ExecStart=/home/plom/config/bin/screen-irssi.sh [Install] WantedBy=multi-user.target -- 2.30.2 From 8a7f3f76a02c968a4d9e6aa1561ff4f7749229bf Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 8 Oct 2015 22:53:38 +0200 Subject: [PATCH 02/16] Fix simplemail script newlines-dropping issue. --- bin/simplemail.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/simplemail.sh b/bin/simplemail.sh index 6cbc552..af0eb1a 100755 --- a/bin/simplemail.sh +++ b/bin/simplemail.sh @@ -2,8 +2,8 @@ # # This mails to user plom the message in the file named by the first parameter, # decoded with the first line as subject and everything below the second line -# as the message body. The subject line MUST NOT contain '"' double quotes. +# as the message body. subject=`head -1 $1` -body=`tail -n +2 $1` -echo $body | mutt -s "$subject" plom +body=`tail -n +3 $1` +echo "$body" | mutt -s "$subject" plom -- 2.30.2 From 68e27cdad1b4194244289fe3e5ecc2ffd8dd83d5 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 03:21:33 +0200 Subject: [PATCH 03/16] Add sshguard to server config. --- jessie_start_server.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/jessie_start_server.sh b/jessie_start_server.sh index 7141a42..d3d5367 100755 --- a/jessie_start_server.sh +++ b/jessie_start_server.sh @@ -82,6 +82,12 @@ apt-get -y install vim mkdir -p .vimbackups su plom -c 'mkdir -p /home/plom/.vimbackups/' +# Set up ssh-guard. +apt-get -y install sshguard rsyslog iptables-persistent +iptables -N sshguard +iptables -A INPUT -j sshguard +iptables save > /etc/iptables/rules.v4 + # Set up openssh-server. apt-get -y install openssh-server -- 2.30.2 From 929d5f0df4895aabe18a8b22c1bb04478b425d4f Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 04:22:32 +0200 Subject: [PATCH 04/16] Cut down sshguard config to what's necessary. --- jessie_start_server.sh | 5 +---- mails/server_postinstall_finished | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/jessie_start_server.sh b/jessie_start_server.sh index d3d5367..63dd4ad 100755 --- a/jessie_start_server.sh +++ b/jessie_start_server.sh @@ -83,10 +83,7 @@ mkdir -p .vimbackups su plom -c 'mkdir -p /home/plom/.vimbackups/' # Set up ssh-guard. -apt-get -y install sshguard rsyslog iptables-persistent -iptables -N sshguard -iptables -A INPUT -j sshguard -iptables save > /etc/iptables/rules.v4 +apt-get -y install sshguard rsyslog # Set up openssh-server. apt-get -y install openssh-server diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index 5d318d9..ae0dd7e 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -4,4 +4,4 @@ The server post-installation script seems to have run successfully. Remember to perform the following tasks: - once when mail system set-up seems stable, in - config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true + config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true -- 2.30.2 From facf5a078daf3cfc284c4aca96c10459303f7180 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 04:46:42 +0200 Subject: [PATCH 05/16] Improve post-install mail in server config. --- mails/server_postinstall_finished | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index ae0dd7e..fbc167b 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -5,3 +5,5 @@ perform the following tasks: - once when mail system set-up seems stable, in config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true + +- ensure the following DNS TXT record for @: v=spf1 mx -all -- 2.30.2 From 2df2a310bead167e85198376ef9fa501f5bd5406 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 05:53:03 +0200 Subject: [PATCH 06/16] To server config, add opendkim / opendkim key installation. --- mails/server_postinstall_finished | 4 +++ setup_opendkim.sh | 44 +++++++++++++++++++++++++++++++ systemfiles/main.cf | 4 --- systemfiles/opendkim.conf | 22 ++++++++++++++++ 4 files changed, 70 insertions(+), 4 deletions(-) create mode 100755 setup_opendkim.sh create mode 100644 systemfiles/opendkim.conf diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index fbc167b..92131b4 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -7,3 +7,7 @@ perform the following tasks: config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true - ensure the following DNS TXT record for @: v=spf1 mx -all + +- run (as root) config/setup_opendkim.sh $selector to set up system for DKIM key + signing, with a second parameter $keyfile if a key already exists; without + second parameter, this will generate a new key and print the DNS record to add diff --git a/setup_opendkim.sh b/setup_opendkim.sh new file mode 100755 index 0000000..6d9749b --- /dev/null +++ b/setup_opendkim.sh @@ -0,0 +1,44 @@ +#!/bin/sh +set -x +set -e +selector=$1 +file=$2 + +if [ "$(id -u)" -eq "0" ]; then + echo "Must be run as root." + exit +fi + +apt-get -y install opendkim opendkim-tools +cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf + +if [ -f /etc/opendkim/dkim.key ]; then + cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~ +fi + +sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf + +if [ ! -f $file ]; then + opendkim-genkey -d plomlompom.com -s $selector + mv "$selector".private /etc/opendkim/dkim.key +else + cp $file /etc/opendkim/dkim.key +fi + +cp ~/config/systemfiles/main.cf /etc/postfix/main.cf +echo >> /etc/postfix/main.cf << EOF + +# Use opendkim at given port as mail filter. +non_smtpd_milters = inet:localhost:12301 +smtpd_milters = inet:localhost:12301 +EOF +service postfix restart +service opendkim restart + +echo 'TAKE NOTE:' +if [ -f $selector.txt ]; then + echo 'Apply the content of '$selector'.txt to your DNS record!' + cat $selector.txt +else + echo 'Make sure the DKIM TXT entry in your DNS record matches!' +fi diff --git a/systemfiles/main.cf b/systemfiles/main.cf index 4bc9749..bcb733c 100644 --- a/systemfiles/main.cf +++ b/systemfiles/main.cf @@ -14,7 +14,3 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # Paranoid maximum error notification. notify_classes=2bounce, bounce, data, delay, policy, protocol, resource, software - -# Use opendkim at given port as mail filter. -#non_smtpd_milters = inet:localhost:12301 -#smtpd_milters = inet:localhost:12301 diff --git a/systemfiles/opendkim.conf b/systemfiles/opendkim.conf new file mode 100644 index 0000000..2bd3c19 --- /dev/null +++ b/systemfiles/opendkim.conf @@ -0,0 +1,22 @@ +# The domain for which mails are signed. +Domain plomlompom.com + +# Location of the private key to sign mails with. +KeyFile /etc/opendkim/dkim.key + +# Identifies the signing key; useful when replacing it. +#Selector keyname + +# Canonicalize the body strictly for signing, but the header (more legitimately +# subject to reformatting by forwarding servers) less so. +Canonicalization relaxed/simple + +# Invalidate the signature of mails to which additional From fields were added +# after the signing. (See RFC for details on how this works.) +OversignHeaders From + +# Where to communicate with the MTA. +Socket inet:12301@localhost + +# Don't act as root. +UserID opendkim:opendkim -- 2.30.2 From 258962e9d3b4f113ea5ba69379c7aeca30875842 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 06:18:57 +0200 Subject: [PATCH 07/16] Fix issues with OpenDKIM script. --- setup_opendkim.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup_opendkim.sh b/setup_opendkim.sh index 6d9749b..cee5ce8 100755 --- a/setup_opendkim.sh +++ b/setup_opendkim.sh @@ -4,7 +4,7 @@ set -e selector=$1 file=$2 -if [ "$(id -u)" -eq "0" ]; then +if [ ! "$(id -u)" -eq "0" ]; then echo "Must be run as root." exit fi @@ -18,7 +18,8 @@ fi sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf -if [ ! -f $file ]; then +mkdir -p /etc/opendkim +if [ -n $file ] || [ ! -f $file ]; then opendkim-genkey -d plomlompom.com -s $selector mv "$selector".private /etc/opendkim/dkim.key else @@ -26,7 +27,7 @@ else fi cp ~/config/systemfiles/main.cf /etc/postfix/main.cf -echo >> /etc/postfix/main.cf << EOF +cat >> /etc/postfix/main.cf << EOF # Use opendkim at given port as mail filter. non_smtpd_milters = inet:localhost:12301 -- 2.30.2 From ec7cf5e045fbdc6f415a47851e15caf593dcaa46 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 14:37:07 +0200 Subject: [PATCH 08/16] Improve opendkim setup script. --- setup_opendkim.sh | 48 +++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/setup_opendkim.sh b/setup_opendkim.sh index cee5ce8..a8b5402 100755 --- a/setup_opendkim.sh +++ b/setup_opendkim.sh @@ -9,37 +9,37 @@ if [ ! "$(id -u)" -eq "0" ]; then exit fi -apt-get -y install opendkim opendkim-tools -cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf +apt-get -y install opendkim -if [ -f /etc/opendkim/dkim.key ]; then - cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~ -fi - -sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf - -mkdir -p /etc/opendkim if [ -n $file ] || [ ! -f $file ]; then + apt-get -y install opendkim-tools opendkim-genkey -d plomlompom.com -s $selector - mv "$selector".private /etc/opendkim/dkim.key + apt-get --purge autoremove opendkim-tools + set +x + echo + echo 'Generated key file at '$selector'.private.' + echo 'APPLY the content of '$selector'.txt below to your DNS record.' + echo 'AFTER the waiting time for DNS propagation RERUN this script with' \ + 'the key file as SECOND parameter (still use selector as first one).' + echo + cat $selector.txt else + cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf + sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf + mkdir -p /etc/opendkim + if [ -f /etc/opendkim/dkim.key ]; then + cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~ + fi cp $file /etc/opendkim/dkim.key -fi - -cp ~/config/systemfiles/main.cf /etc/postfix/main.cf -cat >> /etc/postfix/main.cf << EOF + cp ~/config/systemfiles/main.cf /etc/postfix/main.cf + cat >> /etc/postfix/main.cf << EOF # Use opendkim at given port as mail filter. non_smtpd_milters = inet:localhost:12301 -smtpd_milters = inet:localhost:12301 EOF -service postfix restart -service opendkim restart - -echo 'TAKE NOTE:' -if [ -f $selector.txt ]; then - echo 'Apply the content of '$selector'.txt to your DNS record!' - cat $selector.txt -else - echo 'Make sure the DKIM TXT entry in your DNS record matches!' + service opendkim restart + service postfix restart + set +x + echo + echo 'Ensure the DKIM TXT entry in your DNS record matches!' fi -- 2.30.2 From 4459e67fab134f7e8fa1af04e7049d60b2904f45 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 15:08:29 +0200 Subject: [PATCH 09/16] Fix bugs in opendkim setup script. --- setup_opendkim.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup_opendkim.sh b/setup_opendkim.sh index a8b5402..fba3b5a 100755 --- a/setup_opendkim.sh +++ b/setup_opendkim.sh @@ -11,10 +11,10 @@ fi apt-get -y install opendkim -if [ -n $file ] || [ ! -f $file ]; then +if [ ! -n "$file" ] || [ ! -f "$file" ]; then apt-get -y install opendkim-tools opendkim-genkey -d plomlompom.com -s $selector - apt-get --purge autoremove opendkim-tools + apt-get -y --purge autoremove opendkim-tools set +x echo echo 'Generated key file at '$selector'.private.' -- 2.30.2 From b76dbf0eb3a8785219d8c67c6150698b02b34a2d Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 15:18:37 +0200 Subject: [PATCH 10/16] Improve friendliness of opendkim setup script. --- setup_opendkim.sh | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/setup_opendkim.sh b/setup_opendkim.sh index fba3b5a..b8058e5 100755 --- a/setup_opendkim.sh +++ b/setup_opendkim.sh @@ -1,17 +1,30 @@ #!/bin/sh -set -x set -e selector=$1 file=$2 +if [ ! -n "$selector" ]; then + cat << EOF +Usage: $0 SELECTOR [KEYFILE] - set up DKIM system and configuration + +If existing KEYFILE is given, set up DKIM to use SELECTOR and apply key from +KEYFILE. + +If existing KEYFILE is not given, generate KEYFILE and DNS TXT file for +SELECTOR. +EOF + exit +fi + if [ ! "$(id -u)" -eq "0" ]; then echo "Must be run as root." - exit + exit 1 fi +set -x apt-get -y install opendkim -if [ ! -n "$file" ] || [ ! -f "$file" ]; then +if [ ! -n "$file" ]; then apt-get -y install opendkim-tools opendkim-genkey -d plomlompom.com -s $selector apt-get -y --purge autoremove opendkim-tools @@ -24,6 +37,12 @@ if [ ! -n "$file" ] || [ ! -f "$file" ]; then echo cat $selector.txt else + if [ ! -f "$file" ]; then + set +x + echo + echo "Keyfile $file does not exist." + exit 1 + fi cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf mkdir -p /etc/opendkim -- 2.30.2 From b46676de6f6a531b2bb643012373b5a96e66414c Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 15:22:14 +0200 Subject: [PATCH 11/16] Further improve opendkim setup script user friendliness. --- setup_opendkim.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup_opendkim.sh b/setup_opendkim.sh index b8058e5..ce1e3d5 100755 --- a/setup_opendkim.sh +++ b/setup_opendkim.sh @@ -31,7 +31,8 @@ if [ ! -n "$file" ]; then set +x echo echo 'Generated key file at '$selector'.private.' - echo 'APPLY the content of '$selector'.txt below to your DNS record.' + echo 'Also generated '$selector'.txt, APPLY its content below to your DNS' \ + 'record.' echo 'AFTER the waiting time for DNS propagation RERUN this script with' \ 'the key file as SECOND parameter (still use selector as first one).' echo -- 2.30.2 From 39ee3768058ac5553dd35532eab0046c9620b2b1 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 9 Oct 2015 15:47:23 +0200 Subject: [PATCH 12/16] Extend sysadmin mailing tasks. --- jessie_start_server.sh | 4 ++++ mails/server_postinstall_finished | 2 +- mails/update_reminder | 7 +++++++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 mails/update_reminder diff --git a/jessie_start_server.sh b/jessie_start_server.sh index 63dd4ad..d3af7fb 100755 --- a/jessie_start_server.sh +++ b/jessie_start_server.sh @@ -98,6 +98,10 @@ cp config/systemfiles/aliases /etc/aliases newaliases service postfix restart +# Set up regular system update reminder. +apt-get -y install cron +su plom -c "echo '0 0 * * 0 ~/config/bin/simplemail.sh ~/config/mails/update_reminder' | crontab -" + # Set up screen. apt-get -y install screen diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index 92131b4..45b82c1 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -1,4 +1,4 @@ -Server post-installation TODO +[SYSADMIN] Server post-installation TODO The server post-installation script seems to have run successfully. Remember to perform the following tasks: diff --git a/mails/update_reminder b/mails/update_reminder new file mode 100644 index 0000000..81dd02c --- /dev/null +++ b/mails/update_reminder @@ -0,0 +1,7 @@ +[SYSADMIN] System updating reminder + +This is your regular reminder to run: + +apt-get update +apt-get upgrade +apt-get dist-upgrade -- 2.30.2 From fa712562fa7b23544593675b4e36ef1983850d0a Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Sat, 10 Oct 2015 03:52:18 +0200 Subject: [PATCH 13/16] Differentiate server and thinkpad shell prompt colors. --- {dotfiles_user_minimal => dotfiles_user_server}/bashrc | 0 dotfiles_user_thinkpad/bashrc | 10 ++++++++++ 2 files changed, 10 insertions(+) rename {dotfiles_user_minimal => dotfiles_user_server}/bashrc (100%) create mode 100644 dotfiles_user_thinkpad/bashrc diff --git a/dotfiles_user_minimal/bashrc b/dotfiles_user_server/bashrc similarity index 100% rename from dotfiles_user_minimal/bashrc rename to dotfiles_user_server/bashrc diff --git a/dotfiles_user_thinkpad/bashrc b/dotfiles_user_thinkpad/bashrc new file mode 100644 index 0000000..06df74f --- /dev/null +++ b/dotfiles_user_thinkpad/bashrc @@ -0,0 +1,10 @@ +# plomlompom's bashrc for non-login shells + +# Fancy colors for ls. +alias ls="ls --color=auto" + +# Blue prompt with time. +PS1="\[\e[1;32m\][\\t \\u@\\h \\w]$\[\e[m\] " +PS2="\[\e[1;32m\]>\[\e[m\] " +PS3="\[\e[1;32m\]>\[\e[m\] " +PS4="\[\e[1;32m\]+\[\e[m\] " -- 2.30.2 From 955792fdc4bf38fbd74dbb0781cdeb08f5133cc9 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Sun, 11 Oct 2015 20:17:27 +0200 Subject: [PATCH 14/16] Add new autojoin IRC channel to irssi config. --- dotfiles_user_server/irssi/config | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/dotfiles_user_server/irssi/config b/dotfiles_user_server/irssi/config index 60ce029..8d790dd 100644 --- a/dotfiles_user_server/irssi/config +++ b/dotfiles_user_server/irssi/config @@ -20,10 +20,7 @@ chatnets = { channels = ( { name = "#nodrama.de"; chatnet = "freenode"; autojoin = "yes"; }, { name = "#twitter.de"; chatnet = "freenode"; autojoin = "yes"; }, - { - name = "#freie-gesellschaft"; - chatnet = "freenode"; - autojoin = "yes"; - }, + { name = "#freie-gesellschaft"; chatnet = "freenode"; autojoin = "yes"; }, + { name = "#dumme-gesellschaft"; chatnet = "freenode"; autojoin = "yes"; }, ); logs = { }; -- 2.30.2 From 822fe8e489823bb5c1e6a8a90ebda2ba7e35cf9f Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Sun, 11 Oct 2015 20:35:08 +0200 Subject: [PATCH 15/16] On server re-start, send reminder mail to re-identify via NickServ. --- bin/screen-irssi.sh | 3 +++ mails/irssi_identify_reminder | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 mails/irssi_identify_reminder diff --git a/bin/screen-irssi.sh b/bin/screen-irssi.sh index 4f11aa2..1e61f46 100755 --- a/bin/screen-irssi.sh +++ b/bin/screen-irssi.sh @@ -11,3 +11,6 @@ echo 1 # Start irssi in shell in screen. screen -d -m -S irssi screen -S irssi -X stuff 'irssi\n' + +# Send mail to remind user to re-identify to NickServ. +~/config/bin/simplemail.sh ~/config/mails/irssi_identify_reminder diff --git a/mails/irssi_identify_reminder b/mails/irssi_identify_reminder new file mode 100644 index 0000000..739ceec --- /dev/null +++ b/mails/irssi_identify_reminder @@ -0,0 +1,4 @@ +irssi restarted, re-identify! + +Your irssi was restarted, so don't forget to re-identify to Nickserv via +"/msg nickserv identify [password]". -- 2.30.2 From 70fe8aaca5e544c5eb85cd5eff0133264ea5b1e9 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Sun, 11 Oct 2015 20:43:40 +0200 Subject: [PATCH 16/16] Change time of system update reminder mail cronjob. --- jessie_start_server.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jessie_start_server.sh b/jessie_start_server.sh index d3af7fb..6030a26 100755 --- a/jessie_start_server.sh +++ b/jessie_start_server.sh @@ -100,7 +100,7 @@ service postfix restart # Set up regular system update reminder. apt-get -y install cron -su plom -c "echo '0 0 * * 0 ~/config/bin/simplemail.sh ~/config/mails/update_reminder' | crontab -" +su plom -c "echo '0 18 * * 0 ~/config/bin/simplemail.sh ~/config/mails/update_reminder' | crontab -" # Set up screen. apt-get -y install screen -- 2.30.2