800 lines
28 KiB
Bash
800 lines
28 KiB
Bash
|
#!/bin/bash
|
||
|
#
|
||
|
# eginstall
|
||
|
#
|
||
|
# (c) 2007 Egressive Limited
|
||
|
#
|
||
|
# Create a base Egressive Reference Linux platform installation
|
||
|
#
|
||
|
#-----------------------------------------------------
|
||
|
# To Do
|
||
|
# Convert to seperate scripts
|
||
|
# Change the sources.list back to NZ when finished
|
||
|
#
|
||
|
#-----------------------------------------------------
|
||
|
# History
|
||
|
#---------
|
||
|
# Rob Fraser 20070519 created script
|
||
|
# Rob Fraser 20070806 changed to calling functions
|
||
|
# Rob Fraser 20070820 various tidyups
|
||
|
# Rob Fraser 20070821 changed apt-get to aptitude
|
||
|
#-----------------------------------------------------
|
||
|
#
|
||
|
#
|
||
|
#APT_GET_COMMAND="`which apt-get` -y"
|
||
|
APT_GET_COMMAND="`which aptitude` -y"
|
||
|
#
|
||
|
EGINSTALL_DIR=`pwd`
|
||
|
#
|
||
|
#EGRESSIVE_SECRET=""
|
||
|
read -s -p "Please enter the egressive password:" egressive_secret
|
||
|
#EGRESSIVE_SECRET=""
|
||
|
#
|
||
|
if ! [ -d $EGINSTALL_DIR/templates ]
|
||
|
then
|
||
|
echo "You are not in the egserverinstall directory or "
|
||
|
echo "egserverinstall is not properly installed."
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
copy_etc() {
|
||
|
if ! [ -f /storage/etc.orig/hosts ]
|
||
|
then
|
||
|
echo "=========================================================="
|
||
|
echo "Make a copy of the base /etc in /storage/etc.orig"
|
||
|
echo "----------------------------------------------------------"
|
||
|
mkdir /storage/etc.orig
|
||
|
cp -a /etc /storage/etc.orig
|
||
|
echo "=========================================================="
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
unleash_debcache() {
|
||
|
echo "=========================================================="
|
||
|
echo "Copying /etc/apt/sources.list using Unleash debcache"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! grep debcache.unleash.net.nz /etc/apt/sources.list
|
||
|
then
|
||
|
cp /etc/apt/sources.list /etc/apt/sources.list.nz
|
||
|
cp $EGINSTALL_DIR/templates/sources.list.unleash /etc/apt/sources.list
|
||
|
fi
|
||
|
$APT_GET_COMMAND update
|
||
|
$APT_GET_COMMAND dist-upgrade
|
||
|
}
|
||
|
|
||
|
configure_sshd_config(){
|
||
|
echo "=========================================================="
|
||
|
echo "Fix up /etc/ssh/sshd_config"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install ssh
|
||
|
sed --in-place=.orig 's/PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config
|
||
|
if ! grep -q AllowGroups /etc/ssh/sshd_config
|
||
|
then
|
||
|
addgroup sshusers
|
||
|
addgroup egressive sshusers
|
||
|
echo "AllowGroups root sshusers" >> /etc/ssh/sshd_config
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
#
|
||
|
}
|
||
|
|
||
|
emacs_screen(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install Utilities - emacs | screen"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install emacs-nox screen
|
||
|
echo "=========================================================="
|
||
|
#
|
||
|
}
|
||
|
|
||
|
acls_dir_indexing(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install acls"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! which getfacl
|
||
|
then
|
||
|
$APT_GET_COMMAND install acl
|
||
|
fi
|
||
|
if ! grep -q acl /etc/fstab
|
||
|
then
|
||
|
echo "You must add ,acl to the option fields (after default)"
|
||
|
echo "of / , /var , /home and /storage"
|
||
|
read -p "Press Enter to continue . . ." $enter
|
||
|
#
|
||
|
emacs /etc/fstab
|
||
|
mount -o remount /
|
||
|
mount -o remount /home
|
||
|
mount -o remount /storage
|
||
|
fi
|
||
|
echo "Add directory indexing to /home filesystem"
|
||
|
echo "----------------------------------------------------------"
|
||
|
res=`tune2fs -l /dev/mapper/ubuntu-home|grep dir_index|wc -l`
|
||
|
if [ $res -le 0 ]
|
||
|
then
|
||
|
echo "Maildir gets better performance with dir_index turned on"
|
||
|
echo "in ext2 - this will affect /home on our standard build"
|
||
|
res=`lsof /home | wc -l`
|
||
|
if [ $res -gt 0 ]
|
||
|
then
|
||
|
echo "Cannot umount /home due to open files. You are probably"
|
||
|
echo "logged in as egressive. You will need to do this manually . . ."
|
||
|
echo "# umount /home"
|
||
|
echo "# tune2fs -O dir_index /dev/mapper/ubuntu-home"
|
||
|
echo "# e2fsck -fD /dev/mapper/ubuntu/home"
|
||
|
mount "# /dev/mapper/ubuntu-home"
|
||
|
read -p "Press Enter to continue . . ." $enter
|
||
|
else
|
||
|
echo "Unmounting home, turning on dir_index, optimising directories and remounting"
|
||
|
umount /home
|
||
|
tune2fs -O dir_index /dev/mapper/ubuntu-home
|
||
|
e2fsck -fD /dev/mapper/ubuntu/home
|
||
|
mount /dev/mapper/ubuntu-home
|
||
|
fi
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
sw_raid_email() {
|
||
|
echo "=========================================================="
|
||
|
echo "Update /etc/default/mdadm"
|
||
|
echo "----------------------------------------------------------"
|
||
|
sed --in-place=.orig 's/MAIL_TO=\"root/MAIL_TO=\"support@egressive.com/' /etc/default/mdadm
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
openssl_certs(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install openssl CA and certificates "
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /usr/lib/ssl/demoCA ]
|
||
|
then
|
||
|
echo " You will be prompted for Postfix configuration info"
|
||
|
echo " Choose Internet site and enter the domain name"
|
||
|
echo " part of the server's email addressing"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install openssl ca-certificates
|
||
|
#
|
||
|
cp $EGINSTALL_DIR/templates/openssl.cnf /etc/ssl
|
||
|
#
|
||
|
# edit openssl.cnf and adjust - location fields and company name
|
||
|
#
|
||
|
if [ "$domain_nameXXX" == "XXX" ]
|
||
|
then
|
||
|
read -p "Please enter the mail domain name (eg egressive.com ): " domain_name
|
||
|
fi
|
||
|
read -p "Please enter the Name of the organisation (eg Egressive Limited): " organisation_name
|
||
|
sed --in-place=.orig "s/Internet Widgets Pty Ltd/$organisation_name/g" /etc/ssl/openssl.cnf
|
||
|
sed --in-place "s/x509_extensions = usr_cert/x509_extensions = v3_ca/g" /etc/ssl/openssl.cnf
|
||
|
cd /usr/lib/ssl
|
||
|
if ! [ -f demoCA/cacert.pem ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
echo "You will be prompted for a CA passphrase - generate a decent one"
|
||
|
echo "and record it somewhere SECURE."
|
||
|
echo "The usual format for the common name is ca.domain-name"
|
||
|
echo "for example ca.egressive.com"
|
||
|
echo "----------------------------------------------------------"
|
||
|
read -p "Press Enter to continue . . ." $enter
|
||
|
misc/CA.pl -newca
|
||
|
cp demoCA/cacert.pem certs
|
||
|
fi
|
||
|
#
|
||
|
sed --in-place "s/x509_extensions = v3_ca/x509_extensions = usr_cert/g" /etc/ssl/openssl.cnf
|
||
|
else
|
||
|
echo " CA already created"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_postfix() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install postfix "
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! grep permit_sasl_authenticated /etc/postfix/main.cf
|
||
|
then
|
||
|
echo " You will be prompted for Postfix configuration info"
|
||
|
echo " Choose Internet site and enter the domain name"
|
||
|
echo " part of the server's email addressing"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail
|
||
|
#
|
||
|
# Make a certificate (used by Postfix and Dovecot)
|
||
|
#
|
||
|
cd /usr/lib/ssl
|
||
|
misc/CA.pl -newreq-nodes
|
||
|
misc/CA.pl -sign
|
||
|
#
|
||
|
#
|
||
|
mv newcert.pem certs/postfix-dovecot.pem
|
||
|
mv newkey.pem private/postfix-dovecot.key
|
||
|
chmod 640 private/postfix-dovecot.key
|
||
|
#
|
||
|
echo "----------------------------------------------------------"
|
||
|
echo "Follow this as a guide for the prompts that follow:"
|
||
|
echo "General type of configuration? <-- Internet Site"
|
||
|
echo "Where should mail for root go <-- NONE"
|
||
|
echo "Mail name? <-- server1.example.com"
|
||
|
echo "Other destinations to accept mail for? (blank for none) <-- server.example.co.nz, localhost"
|
||
|
echo "Force synchronous updates on mail queue? <-- No"
|
||
|
echo "Local networks? <-- 127.0.0.0/8"
|
||
|
echo "Use procmail for local delivery? <-- Yes"
|
||
|
echo "Mailbox size limit <-- 0"
|
||
|
echo "Local address extension character? <-- +"
|
||
|
echo "Internet protocols to use? <-- all"
|
||
|
echo "----------------------------------------------------------"
|
||
|
dpkg-reconfigure postfix
|
||
|
postconf -e 'smtpd_sasl_local_domain ='
|
||
|
postconf -e 'smtpd_sasl_auth_enable = yes'
|
||
|
postconf -e 'smtpd_sasl_security_options = noanonymous'
|
||
|
postconf -e 'broken_sasl_auth_clients = yes'
|
||
|
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_unauth_pipelining'
|
||
|
postconf -e 'smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain'
|
||
|
postconf -e 'smtpd_data_restrictions = reject_unauth_pipelining'
|
||
|
postconf -e 'smtpd_helo_required = yes'
|
||
|
postconf -e 'inet_interfaces = all'
|
||
|
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
|
||
|
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
|
||
|
#
|
||
|
postconf -e 'smtpd_tls_auth_only = no'
|
||
|
postconf -e 'smtp_use_tls = yes'
|
||
|
postconf -e 'smtpd_use_tls = yes'
|
||
|
postconf -e 'smtp_tls_note_starttls_offer = yes'
|
||
|
postconf -e 'smtpd_tls_key_file = /etc/ssl/certs/postfix-dovecot.key'
|
||
|
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix-dovecot.pem'
|
||
|
postconf -e 'smtpd_tls_CAfile = /etc/certs/ssl/cacert.pem'
|
||
|
postconf -e 'smtpd_tls_loglevel = 1'
|
||
|
postconf -e 'smtpd_tls_received_header = yes'
|
||
|
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
|
||
|
postconf -e 'tls_random_source = dev:/dev/urandom'
|
||
|
read -p "Enter the hostname for this server (eg mail.example.co.nz)" my_mailhost_name
|
||
|
postconf -e "myhostname = $my_mailhost_name"
|
||
|
echo '# Turn on maildir' >> /etc/postfix/main.cf
|
||
|
postconf -e 'home_mailbox = .Mail/'
|
||
|
postconf -e 'mailbox_command = procmail -a "$EXTENSION" DEFAULT=$HOME/.Mail/ MAILDIR=$HOME/.Mail'
|
||
|
#
|
||
|
touch /etc/postfix/sender_access
|
||
|
postmap /etc/postfix/sender_access
|
||
|
#
|
||
|
/etc/init.d/postfix restart
|
||
|
#
|
||
|
mkdir -p /var/spool/postfix/var/run/saslauthd
|
||
|
sed --in-place=orig 's/\# START=yes/START=yes/' /etc/default/saslauthd
|
||
|
echo 'PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"' >> /etc/default/saslauthd
|
||
|
sed --in-place 's/PWDIR=\/var\/run\/saslauthd/PWDIR="\/var\/spool\/postfix\/var\/run\/\$\{NAME\}"/' /etc/init.d/saslauthd
|
||
|
sed --in-place 's/PIDFILE="\/var\/run\/\$\{NAME\}\/saslauthd.pid"/PIDFILE="\$\{PWDIR\}\/saslauthd.pid"/' /etc/init.d/saslauthd
|
||
|
sed --in-place 's/dir=`dpkg-statoverride --list $PWDIR`/dir="root sasl 755 ${PWDIR}"/' /etc/default/saslauthd
|
||
|
/etc/init.d/saslauthd start
|
||
|
#
|
||
|
else
|
||
|
echo " postfix skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_egrdbackup(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install egrdbackup"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/egscripts/egrdbackup ]
|
||
|
then
|
||
|
echo " TODO"
|
||
|
echo " You will be need to add any extra exclude directories"
|
||
|
echo " to /etc/egscripts/egrdbackup/egrdbackup.conf"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install rdiff-backup
|
||
|
if ! [ -d /etc/egscripts ]
|
||
|
then
|
||
|
mkdir /etc/egscripts
|
||
|
fi
|
||
|
if ! [ -d /storage ]
|
||
|
then
|
||
|
echo " WARNING -- /storage does not exist. Creating /storage . . ."
|
||
|
fi
|
||
|
if ! [ -d /storage/backups ]
|
||
|
then
|
||
|
mkdir -p /storage/backups
|
||
|
fi
|
||
|
cd /etc/egscripts
|
||
|
svn co http://devel.egressive.com/egressive/egscripts/egrdbackup egrdbackup
|
||
|
cd /etc/egscripts/egrdbackup
|
||
|
sed "s/SERVERNAME=\"servername.domain\"/SERVERNAME=\"$HOSTNAME\"/" egrdbackup.conf.example > egrdbackup.conf
|
||
|
sed --in-place 's/RDIFF_DEST=\"\"/RDIFF_DEST=\"\/storage\/backups\"/' egrdbackup.conf
|
||
|
mv egrdbackup-cron /etc/cron.d
|
||
|
mv logrotate.d/egrdbackup /etc/logrotate.d/egrdbackup
|
||
|
#
|
||
|
else
|
||
|
echo " egrdbackup skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_apache_php5() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install apache | php5"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/apache2/ -a -d /etc/php/apache2 ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install apache2 php5
|
||
|
#
|
||
|
a2enmod ssl
|
||
|
if ! grep 443 /etc/apache2/ports.conf
|
||
|
then
|
||
|
echo "Listen 443" >> /etc/apache2/ports.conf
|
||
|
fi
|
||
|
a2enmod deflate
|
||
|
a2enmod rewrite
|
||
|
/etc/init.d/apache2 force-reload
|
||
|
#
|
||
|
sed --in-place 's/memory_limit = 8M/memory_limit = 32M/' /etc/php5/apache2/php.ini
|
||
|
/etc/init.d/apache2 force-reload
|
||
|
#
|
||
|
# Make a certificate (used by Postfix and Dovecot)
|
||
|
#
|
||
|
cd /usr/lib/ssl
|
||
|
misc/CA.pl -newreq-nodes
|
||
|
misc/CA.ply -sign
|
||
|
#
|
||
|
#
|
||
|
mkdir /etc/apache2/ssl
|
||
|
mv newcert.pem /etc/apache2/ssl/www.pem
|
||
|
mv newkey.pem /etc/apache2/ssl/www.key
|
||
|
chmod 640 /etc/apache2/ssl/www.key
|
||
|
#
|
||
|
if [ -d /etc/squirrelmail ]
|
||
|
then
|
||
|
ln -s /usr/share/squirrelmail /var/www/webmail
|
||
|
fi
|
||
|
cp $EGINSTALL_DIR/templates/apache-default /etc/apache2/sites-available/default
|
||
|
cp $EGINSTALL_DIR/templates/apache-ssl /etc/apache2/sites-available/ssl
|
||
|
emacs /etc/apache2/sites-available/default
|
||
|
emacs /etc/apache2/sites-available/ssl
|
||
|
a2ensite ssl
|
||
|
/etc/init.d/apache2 force-reload
|
||
|
#
|
||
|
else
|
||
|
echo " apache | php5 skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_mysql(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install MySQL"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if echo "show status" | mysql > /dev/null
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install mysql-server-5.0 mysql-client-5.0
|
||
|
if [ -d /etc/php5 ]
|
||
|
then
|
||
|
$APT_GET_COMMAND install php5-mysql
|
||
|
fi
|
||
|
#
|
||
|
read -p "Enter the new root password for MySQL: " mysql_password
|
||
|
#
|
||
|
echo "SET PASSWORD FOR root@localhost=PASSWORD('$mysql_password');" | mysql
|
||
|
#
|
||
|
else
|
||
|
echo " MySQL skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_dovecot(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install dovecot"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/dovecot ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install dovecot-imapd dovecot-pop3d
|
||
|
#
|
||
|
cd /etc/dovecot
|
||
|
cp $EGINSTALL_DIR/templates/dovecot.conf .
|
||
|
#
|
||
|
# set up shared folders in public namespace
|
||
|
#
|
||
|
addgroup sharedmail
|
||
|
mkdir -p /home/mail/public
|
||
|
chgrp sharedmail /home/mail/public
|
||
|
chmod 770 /home/mail/public
|
||
|
chmod g+s /home/mail/public
|
||
|
setfacl --default -m g:sharedmail:rwx /home/mail/public
|
||
|
touch /home/mail/public/dovecot-shared
|
||
|
chmod 660 /home/mail/public/dovecot-shared
|
||
|
#
|
||
|
else
|
||
|
echo " dovecot skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_squirrelmail() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install squirrelmail"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/squirrelmail ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install squirrelmail vacation proftpd
|
||
|
#
|
||
|
# Limit proftpd access to localhost only
|
||
|
cat $EGINSTALL_DIR/templates/proftpd.localhost >> /etc/proftpd/proftpd.conf
|
||
|
/etc/init.d/proftpd restart
|
||
|
cd /usr/share/squirrelmail/plugins
|
||
|
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fvacation_local-2.0-1.4.tar.gz
|
||
|
tar xzvf vacation_local-2.0-1.4.tar.gz
|
||
|
cp /usr/share/squirrelmail/plugins/vacation_local/conf.php.sample /usr/share/squirrelmail/plugins/vacation_local/conf.php
|
||
|
#
|
||
|
/etc/squirrelmail/conf.pl
|
||
|
#
|
||
|
else
|
||
|
echo " dovecot skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_squid() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install squid"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/squid ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install squid
|
||
|
#
|
||
|
cd /etc/squid
|
||
|
cp $EGINSTALL_DIR/templates/squid.conf .
|
||
|
#
|
||
|
else
|
||
|
echo " squid skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_aide_rkhunter(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install aide | rkhunter"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -f /etc/rkhunter.conf -a -d /etc/aide ]
|
||
|
then
|
||
|
echo " You will be prompted for Postfix configuration info"
|
||
|
echo " Choose Internet site and enter the domain name"
|
||
|
echo " part of the server's email addressing"
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install binutils aide rkhunter
|
||
|
rkhunter --update
|
||
|
sed --in-place=.orig 's/root/support@egressive.com/' /etc/default/rkhunter
|
||
|
#
|
||
|
sed --in-place=.orig 's/root/support@egressive.com/' /etc/default/aide
|
||
|
mv /tmp/aide.default /etc/default/aide
|
||
|
aide --init
|
||
|
cd /var/lib/aide
|
||
|
cp aide.db.new aide.db
|
||
|
chmod 400 aide.db
|
||
|
#
|
||
|
else
|
||
|
echo " aide | rkhunter skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_munin(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install munin"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/munin ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install munin munin-node
|
||
|
#
|
||
|
cd /etc/munin
|
||
|
sed --in-place=.orig "s/localhost.localdomain/$HOSTNAME/" /etc/munin/munin.conf
|
||
|
sed --in-place 's/\#contact.*fnord.comm/contact.egressive.command mail -s "Munin notification" support@egressive.com/' munin.conf
|
||
|
#
|
||
|
else
|
||
|
echo " munin skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_dhcp_server(){
|
||
|
echo "=========================================================="
|
||
|
echo "Install bind dhcp"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -f /etc/dhcp3/dhcpd.conf ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install bind9 dhcp3-server
|
||
|
/etc/init.d/bind9 stop
|
||
|
/etc/init.d/dhcp3-server stop
|
||
|
#
|
||
|
sed --in-place=.orig 's/"-u bind"/"-u bind -t \/var\/lib\/named"/' /etc/default/bind9
|
||
|
#
|
||
|
mkdir -p /var/lib/named/etc
|
||
|
mkdir /var/lib/named/dev
|
||
|
mkdir -p /var/lib/named/var/cache/bind
|
||
|
mkdir -p /var/lib/named/var/run/bind/run
|
||
|
mv /etc/bind /var/lib/named/etc
|
||
|
ln -s /var/lib/named/etc/bind /etc/bind
|
||
|
mknod /var/lib/named/dev/null c 1 3
|
||
|
mknod /var/lib/named/dev/random c 1 8
|
||
|
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
|
||
|
chown -R bind:bind /var/lib/named/var/*
|
||
|
chown -R bind:bind /var/lib/named/etc/bind
|
||
|
#
|
||
|
sed --in-place=.orig 's/SYSLOGD="-u syslog"/SYSLOGD="-u syslog -a \/var\/lib\/named\/dev\/log"/' /etc/init.d/sysklogd
|
||
|
/etc/init.d/sysklogd restart
|
||
|
#
|
||
|
echo controls "{inet 127.0.0.1 allow {127.0.0.1; } keys {"rndc-key";};};" >> /etc/bind/named.conf
|
||
|
cp $EGINSTALL_DIR/templates/named.conf.local /etc/bind
|
||
|
cp $EGINSTALL_DIR/templates/DOMAIN.CO.NZ /var/lib/named/var/cache/bind/
|
||
|
cp $EGINSTALL_DIR/templates/rev.192.168.1 /var/lib/named/var/cache/bind/
|
||
|
#
|
||
|
cp /etc/bind/rndc.key /etc/dhcp3/
|
||
|
cd /etc/dhcp3
|
||
|
chown root:dhcpd rndc.key
|
||
|
cp $EGINSTALL_DIR/templates/dhcpd.conf /etc/dhcp3/
|
||
|
#
|
||
|
domain_name=""
|
||
|
while [[ $domain_name != *.* ]]
|
||
|
do
|
||
|
read -p "Enter domain name: " domain_name
|
||
|
done
|
||
|
sed --in-place=.orig "s/DOMAIN.CO.NZ/$domain_name/g" /etc/bind/named.conf.local
|
||
|
sed --in-place=.orig "s/DOMAIN.CO.NZ/$domain_name/g" /var/lib/named/var/cache/bind/DOMAIN.CO.NZ
|
||
|
mv /var/lib/named/var/cache/bind/DOMAIN.CO.NZ /var/lib/named/var/cache/bind/$domain_name
|
||
|
sed --in-place=.orig "s/DOMAIN.CO.NZ/$domain_name/g" /var/lib/named/var/cache/bind/rev.192.168.1
|
||
|
sed --in-place=.orig "s/DOMAIN.CO.NZ/$domain_name/g" /etc/dhcp3/dhcpd.conf
|
||
|
#
|
||
|
/etc/init.d/bind9 start
|
||
|
/etc/init.d/dhcp3-server start
|
||
|
#
|
||
|
else
|
||
|
echo " bind-dhcp skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_samba() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install Samba"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -f /etc/samba/smb.conf ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install samba cupsys winbind
|
||
|
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
|
||
|
cp $EGINSTALL_DIR/templates/smb.conf /etc/samba/smb.conf
|
||
|
echo "Enter the new SMB password for root"
|
||
|
smbpasswd -a root
|
||
|
echo "Enter the new SMB password for egressive"
|
||
|
smbpasswd -a egressive
|
||
|
#
|
||
|
read -p "Enter the Microsoft Windows Domain Name: " ms_domain_name
|
||
|
#
|
||
|
read -p 'Enter server description (press Enter for "Samba server": ' server_string
|
||
|
#
|
||
|
if [ "XXX$server_string" == "XXX" ]
|
||
|
then
|
||
|
server_string="Samba server"
|
||
|
fi
|
||
|
echo 'Enter the Server Name (press enter for "Server"):'
|
||
|
read server_name
|
||
|
#
|
||
|
if [ "XXX$server_name" == "XXX" ]
|
||
|
then
|
||
|
server_name="server"
|
||
|
fi
|
||
|
sed --in-place "s/DOMAIN_NAME/$ms_domain_name/" /etc/samba/smb.conf
|
||
|
sed --in-place "s/SERVER_STRING/$server_string/" /etc/samba/smb.conf
|
||
|
sed --in-place "s/NETBIOS_NAME/$server_name/" /etc/samba/smb.conf
|
||
|
#
|
||
|
groupadd domainusers
|
||
|
groupadd domainadmins
|
||
|
net groupmap modify ntgroup="Domain Users" unixgroup="domainusers"
|
||
|
net groupmap modify ntgroup="Domain Admins" unixgroup="domainadmins"
|
||
|
net groupmap modify ntgroup="Domain Guests" unixgroup="nogroup"
|
||
|
adduser egressive domainusers
|
||
|
adduser egressive domainadmins
|
||
|
#
|
||
|
mkdir -p /home/samba/netlogon
|
||
|
mkdir /home/samba/profiles
|
||
|
chgrp domainusers /home/samba/profiles
|
||
|
chmod 770 /home/samba/profiles
|
||
|
mkdir /home/samba/profdata
|
||
|
chgrp domainusers /home/samba/profdata
|
||
|
chmod 770 /home/samba/profdata
|
||
|
mkdir /home/shared
|
||
|
chgrp -R domainadmins /var/lib/samba/printers
|
||
|
chmod -R g+ws /var/lib/samba/printers
|
||
|
mkdir /var/spool/samba
|
||
|
chmod 777 /var/spool/samba
|
||
|
#
|
||
|
/etc/init.d/samba stop
|
||
|
/etc/init.d/winbind stop
|
||
|
/etc/init.d/samba start
|
||
|
/etc/init.d/winbind start
|
||
|
#
|
||
|
echo "Adding user rights, please enter the root smb password"
|
||
|
net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
|
||
|
net rpc rights grant "Domain Users" SePrintOperatorPrivilege
|
||
|
#
|
||
|
else
|
||
|
echo " Samba skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_mailscanner() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install Mailscanner"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/MailScanner ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
$APT_GET_COMMAND install mailscanner tnef clamav unrar-free razor dcc-client pyzor zip libdbd-mysql-perl php5-gd
|
||
|
#
|
||
|
cp $EGINSTALL_DIR/templates/MailScanner.conf /etc/MailScanner/
|
||
|
cp $EGINSTALL_DIR/templates/spam.assassin.prefs.conf /etc/MailScanner/
|
||
|
cp $EGINSTALL_DIR/init.d-mailscanner /etc/init.d/mailscanner
|
||
|
#
|
||
|
chown postfix:www-data /var/spool/MailScanner
|
||
|
chown -R postfix:postfix /var/spool/MailScanner/*
|
||
|
chown -R postfix:www-data /var/spool/MailScanner/quarantine
|
||
|
chown postfix:postfix /var/lib/MailScanner
|
||
|
#
|
||
|
mkdir /var/spool/postfix/.spamassassin
|
||
|
chown postfix:postfix /var/spool/postfix/.spamassassin
|
||
|
mkdir /var/spool/MailScanner/spamassassin
|
||
|
chown -R postfix:postfix /var/spool/MailScanner/spamassassin
|
||
|
sa-update
|
||
|
#
|
||
|
read -p "Enter the short name of the organisation (eg BBC): " org_name
|
||
|
#
|
||
|
read -p "Enter the long name of the organisation(eg British Broadcasting Corp): " org_long_name
|
||
|
#
|
||
|
read -p "Enter the website of the organisation (eg www.bbc.org.uk): " org_web_site
|
||
|
#
|
||
|
sed --in-place "s/ORG_NAME/$org_name/" /etc/MailScanner/MailScanner.conf
|
||
|
sed --in-place "s/ORG_NAME/$org_name/" /etc/MailScanner/spam.assassin.prefs.conf
|
||
|
sed --in-place "s/ORG_LONG_NAME/$org_long_name/" /etc/MailScanner/MailScanner.conf
|
||
|
sed --in-place "s/ORG_WEB_SITE/$org_web_site/" /etc/MailScanner/MailScanner.conf
|
||
|
#
|
||
|
cp $EGINSTALL_DIR/templates/header_checks /etc/postfix/
|
||
|
postconf -e 'header_checks = regexp:/etc/postfix/header_checks'
|
||
|
#
|
||
|
chmod -R a+rX /usr/share/doc/pyzor /usr/bin/pyzor /usr/bin/pyzord
|
||
|
chmod -R a+rX /usr/lib/site-python/pyzor
|
||
|
pyzor ping
|
||
|
cp -a ~/.pyzor /var/spool/postfix/
|
||
|
chown postfix:postfix /var/spool/postfix/.pyzor
|
||
|
cd
|
||
|
rm /etc/razor/razor-agent.conf
|
||
|
razor-admin -create
|
||
|
razor-admin -register
|
||
|
echo "debuglevel = 0" >> ~/.razor/razor-agent.conf
|
||
|
echo "razorhome = /var/spool/postfix/.razor/" >> ~/.razor/razor-agent.conf
|
||
|
cp -a ~/.razor /var/spool/postfix/
|
||
|
chown -R postfix:postfix /var/spool/postfix/.razor
|
||
|
cdcc "delete 127.0.0.1"
|
||
|
cdcc "delete 127.0.0.1 Greylist"
|
||
|
cdcc info
|
||
|
#
|
||
|
sed --in-place 's/#run_mailscanner=1/run_mailscanner=1/' /etc/default/mailscanner
|
||
|
/etc/init.d/postfix restart
|
||
|
/etc/init.d/mailscanner restart
|
||
|
#
|
||
|
cp $EGINSTALL_DIR/templates/MailWatch.pm /etc/MailScanner/CustomFunctions
|
||
|
cp $EGINSTALL_DIR/templates/SQLBlackWhiteList.pm /etc/MailScanner/CustomFunctions
|
||
|
#
|
||
|
cd /tmp
|
||
|
wget http://optusnet.dl.sourceforge.net/sourceforge/mailwatch/mailwatch-1.0.4.tar.gz
|
||
|
tar xzvf /tmp/mailwatch-1.0.4.tar.gz
|
||
|
cd /tmp/mailwatch-1.0.4
|
||
|
#
|
||
|
mkdir -p /etc/egscripts/egmailwatch
|
||
|
mv /tmp/mailwatch-1.0.4/tools/* /etc/egscripts/egmailwatch/
|
||
|
sed --in-place 's/var\/www\/html/var\/www/' /etc/egscripts/egmailwatch/quarantine_maint.php
|
||
|
echo "/etc/egscripts/egmailwatch/quarantine_maint.php --clean" > /etc/cron.daily/mailwatch_quarantine_maint.sh
|
||
|
chmod +x /etc/cron.daily/mailwatch_quarantine_maint.sh
|
||
|
#
|
||
|
mysql -p < create.sql
|
||
|
echo "GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY '$egressive_secret';" | mysql -p
|
||
|
echo "INSERT INTO users VALUES ('egressive',md5('$egressive_secret'),'Egressive','A','0','0','0','0','0');" | mysql mailscanner -u mailwatch -p
|
||
|
#
|
||
|
mv mailscanner /var/www/
|
||
|
chmod -R o+r /var/www/mailscanner
|
||
|
chown root:www-data /var/www/mailscanner/images
|
||
|
chmod ug+rwx /var/www/mailscanner/images
|
||
|
chown root:www-data /var/www/mailscanner/images/cache
|
||
|
chmod ug+rwx /var/www/mailscanner/images/cache
|
||
|
#
|
||
|
if [ "$domain_nameXXX" == "XXX" ]
|
||
|
then
|
||
|
read -p "Please enter the mail domain name (eg egressive.com ): " domain_name
|
||
|
#
|
||
|
fi
|
||
|
cp $EGINSTALL_DIR/templates/mailwatch-conf.php /var/www/mailscanner/conf.php
|
||
|
chown root:www-data /var/www/mailscanner/conf.php
|
||
|
chmod 740 /var/www/mailscanner/conf.php
|
||
|
sed --in-place "s/DOMAIN_NAME/$domain_name/" /var/www/mailscanner/conf.php
|
||
|
#
|
||
|
cp -r $EGINSTALL_DIR/templates/mailwatch/* /etc/MailScanner
|
||
|
#
|
||
|
mkdir /var/www/mailscanner/temp
|
||
|
chown /var/www/mailscanner/temp
|
||
|
chmod gu+wr /var/www/mailscanner/temp
|
||
|
#
|
||
|
/etc/init.d/mailscanner stop
|
||
|
sleep 5
|
||
|
/etc/init.d/mailscanner start
|
||
|
else
|
||
|
echo " Mailscanner skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
install_bastille() {
|
||
|
echo "=========================================================="
|
||
|
echo "Install Bastille"
|
||
|
echo "----------------------------------------------------------"
|
||
|
if ! [ -d /etc/Bastille ]
|
||
|
then
|
||
|
echo "----------------------------------------------------------"
|
||
|
cd /root
|
||
|
$APT_COMMAND install libcurses-perl
|
||
|
wget http://ftp.nz.debian.org/debian/pool/main/b/bastille/bastille_2.1.1-13_all.deb
|
||
|
#
|
||
|
dpkg -i /root/bastille_2.1.1-13_all.deb
|
||
|
InteractiveBastille
|
||
|
#
|
||
|
else
|
||
|
echo " Bastille skipped or already updated"
|
||
|
fi
|
||
|
echo "=========================================================="
|
||
|
}
|
||
|
|
||
|
|
||
|
#======================================
|
||
|
# May as well just run these every time
|
||
|
#======================================
|
||
|
|
||
|
copy_etc
|
||
|
unleash_debcache
|
||
|
configure_sshd_config
|
||
|
emacs_screen
|
||
|
acls_dir_indexing
|
||
|
sw_raid_email
|
||
|
openssl_certs
|
||
|
install_postfix # email is needed by most of the remaining packages
|
||
|
|
||
|
|
||
|
#===============================================================
|
||
|
#
|
||
|
# Comment out any of the following that you don't want installed.
|
||
|
# The parameters are the pre-requisites.
|
||
|
#
|
||
|
#===============================================================
|
||
|
|
||
|
install_munin
|
||
|
install_aide_rkhunter
|
||
|
install_egrdbackup
|
||
|
#
|
||
|
install_bastille
|
||
|
install_dhcp_server
|
||
|
#
|
||
|
install_apache_php5
|
||
|
install_squid
|
||
|
#
|
||
|
install_mysql
|
||
|
#
|
||
|
install_dovecot
|
||
|
install_squirrelmail
|
||
|
#
|
||
|
install_mailscanner
|
||
|
#
|
||
|
install_samba
|
||
|
#
|