cominfra/documentation
cominfra
/
documentation
8
0
Fork 0
Code Issues 5 Pull Requests Activity
documentation/Machines virtuelles/generic.md

8.5 KiB
Raw Blame History

Machine virtuelle GENERIC

(c'est-à-dire le modèle de toutes les machines virtuelles)

...

Matériel virtuel

CPU : 1
RAM : 1000 Mio Stockage de masse : 50 Gio (fichier sparse i.e les zéros ne sont pas écrits sur le disque)

Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (linux-libre-lts des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : etckeeper, mollyguard, git, tig, screen
Mail Transfer Agent : postfix

Caractéristiques notables

Domaine : dns.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.195
Adresse ipv6 publique : 2001:910:1021::4

Configuration réseau

/etc/network/interfaces

# The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet dhcp
iface enp1s0 inet6 static
    address 2001:910:1021::4/128
    gateway 2001:910:1021::

Configuration SSH

/etc/ssh/sshd_config

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    Port 22
    AddressFamily any
    ListenAddress 0.0.0.0
    ListenAddress ::

    PubkeyAuthentication yes

    PasswordAuthentication no
    PermitEmptyPasswords no

    ChallengeResponseAuthentication no

    UsePAM yes

    PrintMotd no

    AcceptEnv LANG LC_* GIT_*

    Subsystem	sftp	/usr/lib/openssh/sftp-server

    Match Group ssh-login
        PasswordAuthentication yes

/etc/hosts.allow

sshd: 192.168.1.0/24, [2001:910:1021::]/48

/etc/hosts/deny

sshd: ALL

Pare-feu

Installation :

apt-get install ufw

Ouvrir le port SSH :

ufw allow SSH
ufw enable
systemclt enable ufw

Configuration SUDO

/etc/sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults        env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL"
Defaults	mail_badpass, insults
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) NOPASSWD:ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Configuration MTA

/etc/postfix/transport

a-lec.org    :
*              discard:

/etc/postfix/virtual

@localhost admin@a-lec.org
@generic.a-lec.org admin@a-lec.org

Configuration système de fichier partagé

/etc/fstab (extrait)

/vm_sharedfs                              /opt/vm_sharedfs 9p          trans=virtio,version=9p2000.L,ro  0 0

/etc/initramfs-tools/modules

9p 9pnet 9pnet_virtio

Note: côté hyperviseur, il faut configurer un FS partagé en mode "mapped" avec pour cible /vm_sharedfs.

Configurations bashrc

/etc/skel/.bashrc (et /home/admin666/.bashrc)

# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
    *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
    # We have color support; assume it's compliant with Ecma-48
    # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
    # a case would tend to support setf rather than setaf.)
    color_prompt=yes
    else
    color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    alias dir='dir --color=auto'
    alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'

# some more ls aliases
alias ll='ls -l'
alias la='ls -A'
#alias l='ls -CF'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
fi
fi

/root/.bashrc

# ~/.bashrc: executed by bash(1) for non-login shells.

# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
PS1='\[\033[01;32m\]=(^-^)=${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
# umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
# eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
fi
fi