323 lines
8.5 KiB
Markdown
323 lines
8.5 KiB
Markdown
## Machine virtuelle GENERIC
|
|
|
|
#### (c'est-à-dire le modèle de toutes les machines virtuelles)
|
|
|
|
...
|
|
|
|
### Matériel virtuel
|
|
|
|
CPU : 1
|
|
RAM : 1000 Mio
|
|
Stockage de masse : 50 Gio (fichier `sparse` i.e les zéros ne sont pas écrits sur le disque)
|
|
|
|
### Logiciel
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
|
Mail Transfer Agent : `postfix`
|
|
|
|
### Caractéristiques notables
|
|
|
|
Domaine : dns.libre-en-communs.org
|
|
Adresse ipv4 publique : 80.67.176.33
|
|
Adresse ipv4 interne : 192.168.1.195
|
|
Adresse ipv6 publique : 2001:910:1021::4
|
|
|
|
### Configuration réseau
|
|
|
|
#### /etc/network/interfaces
|
|
<details>
|
|
|
|
# The primary network interface
|
|
allow-hotplug enp1s0
|
|
iface enp1s0 inet dhcp
|
|
iface enp1s0 inet6 static
|
|
address 2001:910:1021::4/128
|
|
gateway 2001:910:1021::
|
|
</details>
|
|
|
|
### Configuration SSH
|
|
|
|
#### /etc/ssh/sshd_config
|
|
<details>
|
|
|
|
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
|
|
|
# This is the sshd server system-wide configuration file. See
|
|
# sshd_config(5) for more information.
|
|
|
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
|
|
|
Port 22
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
ChallengeResponseAuthentication no
|
|
|
|
UsePAM yes
|
|
|
|
PrintMotd no
|
|
|
|
AcceptEnv LANG LC_* GIT_*
|
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
Match Group ssh-login
|
|
PasswordAuthentication yes
|
|
|
|
</details>
|
|
|
|
#### /etc/hosts.allow
|
|
|
|
sshd: 192.168.1.0/24, [2001:910:1021::]/48
|
|
|
|
#### /etc/hosts/deny
|
|
|
|
sshd: ALL
|
|
|
|
### Pare-feu
|
|
|
|
Installation :
|
|
```
|
|
apt-get install ufw
|
|
```
|
|
|
|
Ouvrir le port SSH :
|
|
```
|
|
ufw allow SSH
|
|
ufw enable
|
|
systemclt enable ufw
|
|
```
|
|
### Configuration SUDO
|
|
|
|
#### /etc/sudoers
|
|
<details>
|
|
|
|
#
|
|
# This file MUST be edited with the 'visudo' command as root.
|
|
#
|
|
# Please consider adding local content in /etc/sudoers.d/ instead of
|
|
# directly modifying this file.
|
|
#
|
|
# See the man page for details on how to write a sudoers file.
|
|
#
|
|
Defaults env_reset
|
|
Defaults env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL"
|
|
Defaults mail_badpass, insults
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
# Host alias specification
|
|
|
|
# User alias specification
|
|
|
|
# Cmnd alias specification
|
|
|
|
# User privilege specification
|
|
root ALL=(ALL:ALL) ALL
|
|
|
|
# Allow members of group sudo to execute any command
|
|
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
|
|
|
|
# See sudoers(5) for more information on "#include" directives:
|
|
|
|
#includedir /etc/sudoers.d
|
|
|
|
|
|
</details>
|
|
|
|
### Configuration MTA
|
|
|
|
#### /etc/postfix/transport
|
|
|
|
a-lec.org :
|
|
* discard:
|
|
|
|
#### /etc/postfix/virtual
|
|
|
|
@localhost admin@a-lec.org
|
|
@generic.a-lec.org admin@a-lec.org
|
|
|
|
### Configuration système de fichier partagé
|
|
|
|
#### /etc/fstab (extrait)
|
|
<details>
|
|
|
|
/vm_sharedfs /opt/vm_sharedfs 9p trans=virtio,version=9p2000.L,ro 0 0
|
|
|
|
</details>
|
|
|
|
#### /etc/initramfs-tools/modules
|
|
<details>
|
|
9p
|
|
9pnet
|
|
9pnet_virtio
|
|
|
|
</details>
|
|
|
|
Note: côté hyperviseur, il faut configurer un FS partagé en mode "mapped" avec pour cible /vm_sharedfs.
|
|
|
|
### Configurations bashrc
|
|
|
|
#### /etc/skel/.bashrc (et /home/admin666/.bashrc)
|
|
<details>
|
|
|
|
# ~/.bashrc: executed by bash(1) for non-login shells.
|
|
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
|
|
# for examples
|
|
|
|
# If not running interactively, don't do anything
|
|
case $- in
|
|
*i*) ;;
|
|
*) return;;
|
|
esac
|
|
|
|
# don't put duplicate lines or lines starting with space in the history.
|
|
# See bash(1) for more options
|
|
HISTCONTROL=ignoreboth
|
|
|
|
# append to the history file, don't overwrite it
|
|
shopt -s histappend
|
|
|
|
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
|
|
HISTSIZE=1000
|
|
HISTFILESIZE=2000
|
|
|
|
# check the window size after each command and, if necessary,
|
|
# update the values of LINES and COLUMNS.
|
|
shopt -s checkwinsize
|
|
|
|
# If set, the pattern "**" used in a pathname expansion context will
|
|
# match all files and zero or more directories and subdirectories.
|
|
#shopt -s globstar
|
|
|
|
# make less more friendly for non-text input files, see lesspipe(1)
|
|
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
|
|
|
|
# set variable identifying the chroot you work in (used in the prompt below)
|
|
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
|
|
debian_chroot=$(cat /etc/debian_chroot)
|
|
fi
|
|
|
|
# set a fancy prompt (non-color, unless we know we "want" color)
|
|
case "$TERM" in
|
|
xterm-color|*-256color) color_prompt=yes;;
|
|
esac
|
|
|
|
# uncomment for a colored prompt, if the terminal has the capability; turned
|
|
# off by default to not distract the user: the focus in a terminal window
|
|
# should be on the output of commands, not on the prompt
|
|
#force_color_prompt=yes
|
|
|
|
if [ -n "$force_color_prompt" ]; then
|
|
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
|
|
# We have color support; assume it's compliant with Ecma-48
|
|
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
|
|
# a case would tend to support setf rather than setaf.)
|
|
color_prompt=yes
|
|
else
|
|
color_prompt=
|
|
fi
|
|
fi
|
|
|
|
if [ "$color_prompt" = yes ]; then
|
|
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
|
|
else
|
|
PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ '
|
|
fi
|
|
unset color_prompt force_color_prompt
|
|
|
|
# If this is an xterm set the title to user@host:dir
|
|
case "$TERM" in
|
|
xterm*|rxvt*)
|
|
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1"
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
|
|
# enable color support of ls and also add handy aliases
|
|
if [ -x /usr/bin/dircolors ]; then
|
|
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
|
|
alias ls='ls --color=auto'
|
|
alias dir='dir --color=auto'
|
|
alias vdir='vdir --color=auto'
|
|
|
|
alias grep='grep --color=auto'
|
|
alias fgrep='fgrep --color=auto'
|
|
alias egrep='egrep --color=auto'
|
|
fi
|
|
|
|
# colored GCC warnings and errors
|
|
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
|
|
|
|
# some more ls aliases
|
|
alias ll='ls -l'
|
|
alias la='ls -A'
|
|
#alias l='ls -CF'
|
|
|
|
# Alias definitions.
|
|
# You may want to put all your additions into a separate file like
|
|
# ~/.bash_aliases, instead of adding them here directly.
|
|
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
|
|
|
|
if [ -f ~/.bash_aliases ]; then
|
|
. ~/.bash_aliases
|
|
fi
|
|
|
|
# enable programmable completion features (you don't need to enable
|
|
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
|
|
# sources /etc/bash.bashrc).
|
|
if ! shopt -oq posix; then
|
|
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
|
. /usr/share/bash-completion/bash_completion
|
|
elif [ -f /etc/bash_completion ]; then
|
|
. /etc/bash_completion
|
|
fi
|
|
fi
|
|
|
|
</details>
|
|
|
|
#### /root/.bashrc
|
|
<details>
|
|
|
|
# ~/.bashrc: executed by bash(1) for non-login shells.
|
|
|
|
# Note: PS1 and umask are already set in /etc/profile. You should not
|
|
# need this unless you want different defaults for root.
|
|
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
|
|
PS1='\[\033[01;32m\]=(^-^)=${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
|
|
# umask 022
|
|
|
|
# You may uncomment the following lines if you want `ls' to be colorized:
|
|
export LS_OPTIONS='--color=auto'
|
|
# eval "`dircolors`"
|
|
alias ls='ls $LS_OPTIONS'
|
|
alias ll='ls $LS_OPTIONS -l'
|
|
alias l='ls $LS_OPTIONS -lA'
|
|
#
|
|
# Some more alias to avoid making mistakes:
|
|
# alias rm='rm -i'
|
|
# alias cp='cp -i'
|
|
# alias mv='mv -i'
|
|
|
|
# enable programmable completion features (you don't need to enable
|
|
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
|
|
# sources /etc/bash.bashrc).
|
|
if ! shopt -oq posix; then
|
|
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
|
. /usr/share/bash-completion/bash_completion
|
|
elif [ -f /etc/bash_completion ]; then
|
|
. /etc/bash_completion
|
|
fi
|
|
fi
|
|
|
|
</details>
|
|
|