diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost new file mode 100644 index 000000000..5ff8e8da4 --- /dev/null +++ b/data/hooks/conf_regen/01-yunohost @@ -0,0 +1,22 @@ +#!/bin/bash +set -e + +force=$1 + +cd /usr/share/yunohost/templates/yunohost + +sudo mkdir -p /etc/yunohost + +if [ ! -f /etc/yunohost/firewall.yml ]; then + sudo cp firewall.yml /etc/yunohost/firewall.yml +fi + +if [ ! -f /etc/yunohost/services.yml ]; then + sudo cp services.yml /etc/yunohost/services.yml +fi + +# Allow users to access /media directory +if [ ! -d /etc/skel/media ]; then + mkdir -p /media + ln -s /media /etc/skel/ +fi diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 7640e8170..9ef3724f3 100644 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -4,15 +4,19 @@ set -e force=$1 function safe_copy () { - if [[ "$force" == "True" ]]; then - sudo yunohost service safecopy \ - -s nginx \ - $1 $2 \ - --force + if [ ! -f /etc/yunohost/installed ]; then + sudo cp $1 $2 else - sudo yunohost service safecopy \ - -s nginx \ - $1 $2 + if [[ "$force" == "True" ]]; then + sudo yunohost service safecopy \ + -s nginx \ + $1 $2 \ + --force + else + sudo yunohost service safecopy \ + -s nginx \ + $1 $2 + fi fi } @@ -30,39 +34,48 @@ for file in $files; do done -# Copy 'yunohost.local' to the main domain conf directory -main_domain=$(cat /etc/yunohost/current_host) -safe_copy yunohost_local.conf \ - /etc/nginx/conf.d/$main_domain.d/yunohost_local.conf +if [ -f /etc/yunohost/installed ]; then + + # Copy 'yunohost.local' to the main domain conf directory + main_domain=$(cat /etc/yunohost/current_host) + safe_copy yunohost_local.conf \ + /etc/nginx/conf.d/$main_domain.d/yunohost_local.conf -need_restart=False -domain_list=$(sudo yunohost domain list --raw) + need_restart=False + domain_list=$(sudo yunohost domain list --raw) -# Copy a configuration file for each YunoHost domain -for domain in $domain_list; do - sudo mkdir -p /etc/nginx/conf.d/$domain.d - cat server.conf.sed \ - | sed "s/{{ domain }}/$domain/g" \ - | sudo tee $domain.conf - if [[ $(safe_copy $domain.conf /etc/nginx/conf.d/$domain.conf) == "True" ]]; then - need_restart=True - fi -done + # Copy a configuration file for each YunoHost domain + for domain in $domain_list; do + sudo mkdir -p /etc/nginx/conf.d/$domain.d + cat server.conf.sed \ + | sed "s/{{ domain }}/$domain/g" \ + | sudo tee $domain.conf + [[ $(safe_copy $domain.conf /etc/nginx/conf.d/$domain.conf) == "True" ]] \ + && need_restart=True -# Remove old domains files -for file in /etc/nginx/conf.d/*.*.conf; do - domain=$(echo $file \ - | sed 's|/etc/nginx/conf.d/||' \ - | sed 's|.conf||') - [[ $domain_list =~ $domain ]] \ - || ($(sudo yunohost service saferemove -s nginx $file) == "True" \ - && (rm -r /etc/nginx/conf.d/$domain.d || true)) -done + [ -f /etc/nginx/conf.d/$domain.d/yunohost_local.conf ] \ + && [[ $main_domain != $domain ]] \ + && sudo yunohost service saferemove -s nginx \ + /etc/nginx/conf.d/$domain.d/yunohost_local.conf + done + + + # Remove old domains files + for file in /etc/nginx/conf.d/*.*.conf; do + domain=$(echo $file \ + | sed 's|/etc/nginx/conf.d/||' \ + | sed 's|.conf||') + [[ $domain_list =~ $domain ]] \ + || ($(sudo yunohost service saferemove -s nginx $file) == "True" \ + && (rm -r /etc/nginx/conf.d/$domain.d || true)) + done + +else + need_restart=True +fi # Restart if need be -if [[ "$need_restart" == "True" ]]; then - sudo service nginx restart -else - sudo service nginx reload -fi +[[ "$need_restart" == "True" ]] \ + && sudo service nginx restart \ + || sudo service nginx reload diff --git a/data/hooks/conf_regen/52-fail2ban b/data/hooks/conf_regen/52-fail2ban new file mode 100644 index 000000000..9c609c74a --- /dev/null +++ b/data/hooks/conf_regen/52-fail2ban @@ -0,0 +1,29 @@ +#!/bin/bash +set -e + +force=$1 + +function safe_copy () { + if [[ "$force" == "True" ]]; then + sudo yunohost service safecopy \ + -s fail2ban $1 $2 --force + else + sudo yunohost service safecopy \ + -s fail2ban $1 $2 + fi +} + +cd /usr/share/yunohost/templates/fail2ban + +sudo mkdir -p /etc/fail2ban/filter.d +safe_copy yunohost.conf /etc/fail2ban/filter.d/yunohost.conf + +# Compatibility: change from HDB to MDB on Jessie +version=$(sed 's/\..*//' /etc/debian_version) +[[ "$version" == '8' ]] \ + && sudo cp jail-jessie.conf jail.conf \ + || sudo cp jail-wheezy.conf jail.conf + +if [[ $(safe_copy jail.conf /etc/fail2ban/jail.conf) == "True" ]]; then + sudo service fail2ban restart +fi diff --git a/data/templates/fail2ban/jail-jessie.conf b/data/templates/fail2ban/jail-jessie.conf new file mode 100644 index 000000000..59dcf51df --- /dev/null +++ b/data/templates/fail2ban/jail-jessie.conf @@ -0,0 +1,584 @@ +# Fail2Ban configuration file. +# +# This file was composed for Debian systems from the original one +# provided now under /usr/share/doc/fail2ban/examples/jail.conf +# for additional examples. +# +# Comments: use '#' for comment lines and ';' for inline comments +# +# To avoid merges during upgrades DO NOT MODIFY THIS FILE +# and rather provide your changes in /etc/fail2ban/jail.local +# + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 +maxretry = 3 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when reverse DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a reverse DNS lookup will be performed. +# warn: if a hostname is encountered, a reverse DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + +# +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = root@localhost + +# +# Name of the sender for mta actions +sendername = Fail2Ban + +# Email address of the sender +sender = fail2ban@localhost + +# +# ACTIONS +# + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# email action. Since 0.8.1 upstream fail2ban uses sendmail +# MTA for the mailing. Change mta configuration parameter to mail +# if you want to revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# +# Action shortcuts. To be used to define action parameter + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + +# +# JAILS +# + +# Next jails corresponds to the standard configuration in Fail2ban 0.6 which +# was shipped in Debian. Enable any defined here jail by including +# +# [SECTION_NAME] +# enabled = true + +# +# in /etc/fail2ban/jail.local. +# +# Optionally you may override any other parameter (e.g. banaction, +# action, port, logpath, etc) in that section within jail.local + +[ssh] + +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 6 + +[dropbear] + +enabled = false +port = ssh +filter = dropbear +logpath = /var/log/auth.log +maxretry = 6 + +# Generic filter for pam. Has to be used with action which bans all ports +# such as iptables-allports, shorewall +[pam-generic] + +enabled = true +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +# port actually must be irrelevant but lets leave it all for some possible uses +port = all +banaction = iptables-allports +port = anyport +logpath = /var/log/auth.log +maxretry = 6 + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +port = all +banaction = iptables-multiport-log +logpath = /var/log/daemon.log +maxretry = 2 + + +[ssh-ddos] + +enabled = false +port = ssh +filter = sshd-ddos +logpath = /var/log/auth.log +maxretry = 6 + + +# Here we use blackhole routes for not requiring any additional kernel support +# to store large volumes of banned IPs + +[ssh-route] + +enabled = false +filter = sshd +action = route +logpath = /var/log/sshd.log +maxretry = 6 + +# Here we use a combination of Netfilter/Iptables and IPsets +# for storing large volumes of banned IPs +# +# IPset comes in two versions. See ipset -V for which one to use +# requires the ipset package and kernel support. +[ssh-iptables-ipset4] + +enabled = false +port = ssh +filter = sshd +banaction = iptables-ipset-proto4 +logpath = /var/log/sshd.log +maxretry = 6 + +[ssh-iptables-ipset6] + +enabled = false +port = ssh +filter = sshd +banaction = iptables-ipset-proto6 +logpath = /var/log/sshd.log +maxretry = 6 + + +# +# HTTP servers +# + +[apache] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +# default action is now multiport, so apache-multiport jail was left +# for compatibility with previous (<0.7.6-2) releases +[apache-multiport] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-noscript] + +enabled = false +port = http,https +filter = apache-noscript +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-overflows] + +enabled = false +port = http,https +filter = apache-overflows +logpath = /var/log/apache*/*error.log +maxretry = 2 + +[apache-modsecurity] + +enabled = false +filter = apache-modsecurity +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + +[apache-nohome] + +enabled = false +filter = apache-nohome +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +enabled = false +port = http,https +filter = php-url-fopen +logpath = /var/www/*/logs/access_log + +# A simple PHP-fastcgi jail which works with lighttpd. +# If you run a lighttpd server, then you probably will +# find these kinds of messages in your error_log: +# ALERT – tried to register forbidden variable ‘GLOBALS’ +# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') + +[lighttpd-fastcgi] + +enabled = false +port = http,https +filter = lighttpd-fastcgi +logpath = /var/log/lighttpd/error.log + +# Same as above for mod_auth +# It catches wrong authentifications + +[lighttpd-auth] + +enabled = false +port = http,https +filter = suhosin +logpath = /var/log/lighttpd/error.log + +[nginx-http-auth] + +enabled = false +filter = nginx-http-auth +port = http,https +logpath = /var/log/nginx/error.log + +# Monitor roundcube server + +[roundcube-auth] + +enabled = false +filter = roundcube-auth +port = http,https +logpath = /var/log/roundcube/userlogins + + +[sogo-auth] + +enabled = false +filter = sogo-auth +port = http, https +# without proxy this would be: +# port = 20000 +logpath = /var/log/sogo/sogo.log + + +# +# FTP servers +# + +[vsftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = vsftpd +logpath = /var/log/vsftpd.log +# or overwrite it in jails.local to be +# logpath = /var/log/auth.log +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +maxretry = 6 + + +[proftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = proftpd +logpath = /var/log/proftpd/proftpd.log +maxretry = 6 + + +[pure-ftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = pure-ftpd +logpath = /var/log/syslog +maxretry = 6 + + +[wuftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = wuftpd +logpath = /var/log/syslog +maxretry = 6 + + +# +# Mail servers +# + +[postfix] + +enabled = true +port = smtp,ssmtp,submission +filter = postfix +logpath = /var/log/mail.log + + +[couriersmtp] + +enabled = false +port = smtp,ssmtp,submission +filter = couriersmtp +logpath = /var/log/mail.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courierauth] + +enabled = false +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = courierlogin +logpath = /var/log/mail.log + + +[sasl] + +enabled = true +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = postfix-sasl +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = /var/log/mail.log + +[dovecot] + +enabled = true +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = dovecot +logpath = /var/log/mail.log + +# To log wrong MySQL access attempts add to /etc/my.cnf: +# log-error=/var/log/mysqld.log +# log-warning = 2 +[mysqld-auth] + +enabled = false +filter = mysqld-auth +port = 3306 +logpath = /var/log/mysqld.log + + +# DNS Servers + + +# These jails block attacks against named (bind9). By default, logging is off +# with bind9 installation. You will need something like this: +# +# logging { +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; +# severity dynamic; +# print-time yes; +# }; +# category security { +# security_file; +# }; +# }; +# +# in your named.conf to provide proper logging + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +#[named-refused-udp] +# +#enabled = false +#port = domain,953 +#protocol = udp +#filter = named-refused +#logpath = /var/log/named/security.log + +[named-refused-tcp] + +enabled = false +port = domain,953 +protocol = tcp +filter = named-refused +logpath = /var/log/named/security.log + +[freeswitch] + +enabled = false +filter = freeswitch +logpath = /var/log/freeswitch.log +maxretry = 10 +action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] + iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] + +[ejabberd-auth] + +enabled = false +filter = ejabberd-auth +port = xmpp-client +protocol = tcp +logpath = /var/log/ejabberd/ejabberd.log + + +# Multiple jails, 1 per protocol, are necessary ATM: +# see https://github.com/fail2ban/fail2ban/issues/37 +[asterisk-tcp] + +enabled = false +filter = asterisk +port = 5060,5061 +protocol = tcp +logpath = /var/log/asterisk/messages + +[asterisk-udp] + +enabled = false +filter = asterisk +port = 5060,5061 +protocol = udp +logpath = /var/log/asterisk/messages + + +# Jail for more extended banning of persistent abusers +# !!! WARNING !!! +# Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +[recidive] + +enabled = false +filter = recidive +logpath = /var/log/fail2ban.log +action = iptables-allports[name=recidive] + sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 5 + +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action +# +# Report block via blocklist.de fail2ban reporting service API +# See action.d/blocklist_de.conf for more information +[ssh-blocklist] + +enabled = false +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] + blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"] +logpath = /var/log/sshd.log +maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1 + +[nginx] + +enabled = true +port = http,https +filter = apache-auth +logpath = /var/log/nginx*/*error.log +maxretry = 6 + +[nginx-noscript] + +enabled = false +port = http,https +filter = apache-noscript +logpath = /var/log/nginx*/*error.log +maxretry = 6 + +[nginx-overflows] + +enabled = false +port = http,https +filter = apache-overflows +logpath = /var/log/nginx*/*error.log +maxretry = 4 + +[yunohost] + +enabled = true +port = http,https +protocol = tcp +filter = yunohost +logpath = /var/log/nginx/*.log diff --git a/data/templates/fail2ban/jail.conf b/data/templates/fail2ban/jail-wheezy.conf similarity index 99% rename from data/templates/fail2ban/jail.conf rename to data/templates/fail2ban/jail-wheezy.conf index c1cde0264..8eb0e7a1e 100644 --- a/data/templates/fail2ban/jail.conf +++ b/data/templates/fail2ban/jail-wheezy.conf @@ -231,6 +231,8 @@ port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log +[couriersmtp] + enabled = false port = smtp,ssmtp filter = couriersmtp diff --git a/data/other/firewall.yml b/data/templates/yunohost/firewall.yml similarity index 100% rename from data/other/firewall.yml rename to data/templates/yunohost/firewall.yml diff --git a/data/other/services.yml b/data/templates/yunohost/services.yml similarity index 100% rename from data/other/services.yml rename to data/templates/yunohost/services.yml diff --git a/debian/install b/debian/install index 4c91fbd4e..772027be8 100644 --- a/debian/install +++ b/debian/install @@ -2,6 +2,7 @@ bin/* /usr/bin/ data/actionsmap/* /usr/share/moulinette/actionsmap/ data/hooks/* /usr/share/yunohost/hooks/ data/other/* /usr/share/yunohost/yunohost-config/moulinette/ +data/templates/* /usr/share/yunohost/templates/ data/apps/* /usr/share/yunohost/apps/ lib/yunohost/*.py /usr/lib/moulinette/yunohost/ locales/* /usr/lib/moulinette/yunohost/locales/ diff --git a/debian/postinst b/debian/postinst index 3106cfed8..ec92de4d3 100644 --- a/debian/postinst +++ b/debian/postinst @@ -3,62 +3,12 @@ set -e do_configure() { - TMP=/usr/share/yunohost/yunohost-config/moulinette - - if [ ! -d /etc/yunohost ]; - then - mkdir -p /etc/yunohost - fi - - # Allow users to access /media directory - if [ ! -d /etc/skel/media ]; - then - mkdir -p /media - ln -s /media /etc/skel/ - fi - - #Firewall - grep -q "UPNP:" /etc/yunohost/firewall.yml > /dev/null 2>&1 - if [[ $? -eq 0 ]] || [ ! -f /etc/yunohost/firewall.yml ]; - then - cp $TMP/firewall.yml /etc/yunohost/ - fi - - # App fetchlist - if [ -f /etc/cron.d/yunohost-applist-yunohost ]; - then - sed -i "s/--no-ldap //g" /etc/cron.d/yunohost-applist-yunohost - fi - - # Service list - if [ ! -f /etc/yunohost/services.yml ]; - then - cp $TMP/services.yml /etc/yunohost/ - fi - - # Stop old API - ps aux | grep "yunohost.tac" | grep -qv grep - if [[ $? -eq 0 ]]; - then - killall twistd - fi - rm -rf /var/cache/moulinette/* - update-rc.d yunohost-api defaults > /dev/null service yunohost-api restart - # Firewall - update-rc.d yunohost-firewall defaults > /dev/null - - # Reload SSOwat conf if obsolete - if [ -f /etc/yunohost/installed ]; - then - yunohost firewall upnp | grep -qi "true" - if [[ $? -eq 0 ]]; - then - yunohost firewall upnp enable - fi - yunohost app ssowatconf + if [ ! -f /etc/yunohost/installed ]; then + bash /usr/share/yunohost/hooks/conf_regen/02-ssl + bash /usr/share/yunohost/hooks/conf_regen/15-nginx fi } diff --git a/lib/yunohost/tools.py b/lib/yunohost/tools.py index 95fbe8f83..ca31e6418 100644 --- a/lib/yunohost/tools.py +++ b/lib/yunohost/tools.py @@ -106,6 +106,7 @@ def tools_maindomain(auth, old_domain=None, new_domain=None, dyndns=False): """ from yunohost.domain import domain_add, domain_list from yunohost.dyndns import dyndns_subscribe + from yunohost.service import service_regenconf if not old_domain: with open('/etc/yunohost/current_host', 'r') as f: @@ -119,71 +120,13 @@ def tools_maindomain(auth, old_domain=None, new_domain=None, dyndns=False): if new_domain not in domain_list(auth)['domains']: domain_add(auth, new_domain) - config_files = [ - '/etc/postfix/main.cf', - '/etc/metronome/metronome.cfg.lua', - '/etc/dovecot/dovecot.conf', - '/usr/share/yunohost/yunohost-config/others/startup', - '/etc/amavis/conf.d/05-node_id', - '/etc/amavis/conf.d/50-user' - ] - - config_dir = [] - - for dir in config_dir: - for file in os.listdir(dir): - config_files.append(dir + '/' + file) - - for file in config_files: - with open(file, "r") as sources: - lines = sources.readlines() - with open(file, "w") as sources: - for line in lines: - sources.write(re.sub(r''+ old_domain +'', new_domain, line)) - - ## Update DNS zone file for old and new domains - main_subdomains = ['pubsub', 'muc', 'vjud'] - try: - with open('/var/lib/bind/%s.zone' % old_domain, 'r') as f: - old_zone = f.read() - except IOError: - pass - else: - # Remove unneeded subdomains entries - for sub in main_subdomains: - old_zone = re.sub( - r'^({sub}.{domain}.|{sub})[\ \t]+(IN).*$[\n]?'.format( - sub=sub, domain=old_domain), - '', old_zone, 1, re.MULTILINE) - with open('/var/lib/bind/%s.zone' % old_domain, 'w') as f: - f.write(old_zone) - try: - with open('/var/lib/bind/%s.zone' % new_domain, 'r') as f: - new_zone = f.read() - except IOError: - msignals.display(m18n.n('domain_zone_not_found', new_domain), 'warning') - else: - # Add main subdomains entries - for sub in main_subdomains: - new_zone += '{sub} IN CNAME {domain}.\n'.format( - sub=sub, domain=new_domain) - with open('/var/lib/bind/%s.zone' % new_domain, 'w') as f: - f.write(new_zone) - os.system('rm /etc/ssl/private/yunohost_key.pem') os.system('rm /etc/ssl/certs/yunohost_crt.pem') command_list = [ - 'rm -f /etc/nginx/conf.d/%s.d/yunohost_local.conf' % old_domain, - 'cp /usr/share/yunohost/yunohost-config/nginx/yunohost_local.conf /etc/nginx/conf.d/%s.d/' % new_domain, 'ln -s /etc/yunohost/certs/%s/key.pem /etc/ssl/private/yunohost_key.pem' % new_domain, 'ln -s /etc/yunohost/certs/%s/crt.pem /etc/ssl/certs/yunohost_crt.pem' % new_domain, 'echo %s > /etc/yunohost/current_host' % new_domain, - 'service metronome restart', - 'service postfix restart', - 'service dovecot restart', - 'service amavis restart', - 'service nginx restart', ] for command in command_list: @@ -202,6 +145,11 @@ def tools_maindomain(auth, old_domain=None, new_domain=None, dyndns=False): if dyndomain in dyndomains: dyndns_subscribe(domain=new_domain) + try: + with open('/etc/yunohost/installed', 'r') as f: + service_regenconf() + except IOError: pass + msignals.display(m18n.n('maindomain_changed'), 'success') @@ -219,6 +167,7 @@ def tools_postinstall(domain, password, ignore_dyndns=False): from yunohost.app import app_ssowatconf from yunohost.firewall import firewall_upnp, firewall_reload + from yunohost.service import service_regenconf dyndns = not ignore_dyndns @@ -327,6 +276,8 @@ def tools_postinstall(domain, password, ignore_dyndns=False): os.system('touch /etc/yunohost/installed') + service_regenconf() + msignals.display(m18n.n('yunohost_configured'), 'success')