<?xml version="1.0"?>
<?xml-stylesheet type="text/css" href="https://wiki.hegyd.com/skins/common/feed.css?207"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
	<channel>
		<title>Hegyd Doc - Nouvelles pages [fr]</title>
		<link>https://wiki.hegyd.com/index.php/Sp%C3%A9cial:Nouvelles_pages</link>
		<description>De Hegyd Doc.</description>
		<language>fr</language>
		<generator>MediaWiki 1.15.4</generator>
		<lastBuildDate>Fri, 10 Jul 2026 20:31:26 GMT</lastBuildDate>
		<item>
			<title>WPS在线协作编辑表格多人同时填表实时更新</title>
			<link>https://wiki.hegyd.com/index.php/WPS%E5%9C%A8%E7%BA%BF%E5%8D%8F%E4%BD%9C%E7%BC%96%E8%BE%91%E8%A1%A8%E6%A0%BC%E5%A4%9A%E4%BA%BA%E5%90%8C%E6%97%B6%E5%A1%AB%E8%A1%A8%E5%AE%9E%E6%97%B6%E6%9B%B4%E6%96%B0</link>
			<description>&lt;p&gt;SteveGrace2976&amp;nbsp;:&amp;#32;Page créée avec « &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;想象一下，你的团队正在赶一个紧急的项目进度表，五个人同时打开同一个表格，有人填数据，有人改公式，有人加批注，… »&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;想象一下，你的团队正在赶一个紧急的项目进度表，五个人同时打开同一个表格，有人填数据，有人改公式，有人加批注，而所有人看到的都是同一个实时刷新的版本。没有&amp;quot;版本冲突&amp;quot;的红色警告，没有&amp;quot;文件已被锁定&amp;quot;的弹窗，更没有&amp;quot;我明明保存了为什么你的还是旧数据&amp;quot;的争吵。这不是科幻片里的未来办公，而是WPS在线协作编辑表格正在为你实现的日常。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;WPS的多人同时填表功能，彻底撕掉了传统表格&amp;quot;单机游戏&amp;quot;的标签。过去，一份表格在微信群里传来传去，最后谁也不知道哪个是最终版；或者你辛辛苦苦填完数据，发现同事已经覆盖了你的修改，那种崩溃感足以让人想砸键盘。现在，WPS让所有人像在同一个黑板前写字一样，你填一行，我改一列，他加一个筛选条件，所有操作实时同步，每一个单元格的变化都像心跳一样即时跳动在每个人的屏幕上。这种&amp;quot;所见即所得&amp;quot;的协作体验，不仅省去了反复合并、核对的时间，更让团队的工作节奏从&amp;quot;接力赛&amp;quot;变成了&amp;quot;齐步走&amp;quot;。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;更让人心动的是，它不需要任何复杂的部署或学习成本。你只需要在WPS中创建一个在线表格，分享一个链接，设置好编辑权限，然后就可以邀请同事、客户甚至跨部门的合作伙伴一起进入这个&amp;quot;虚拟工作台&amp;quot;。无论是财务部月底对账，还是市场部收集活动数据，甚至是几十个人同时填报一份调研问卷，WPS都能轻松承载。你甚至能看到谁正在编辑哪个单元格，光标位置、姓名标签一目了然，就像大家围坐在同一张会议桌前，每个人手里的笔都看得清清楚楚。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;实时更新的魅力还在于，它让&amp;quot;决策&amp;quot;不再滞后。当销售数据在表格里跳动更新时，管理层可以立刻看到最新趋势；当项目进度被多人同时推进时，风险点会第一时间暴露在所有人眼前。这种信息的零延迟流转，让团队从&amp;quot;事后总结&amp;quot;转向&amp;quot;实时响应&amp;quot;，每一个动作都带着当下的温度，而不是隔夜的冷饭。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;[https://www.wpsxzgw.com WPS]在线协作编辑表格，不是把Excel搬到了网上那么简单。它重新定义了&amp;quot;表格&amp;quot;的边界——从一个人孤独的格子，变成一群人共舞的舞台。它让数据不再是死板的数字，而是流动的、有生命的协作语言。如果你还在为表格的混乱版本和低效沟通头疼，不妨试试让WPS成为你的团队新基建。毕竟，在这个快节奏的时代，谁先实现实时协作，谁就抢占了先机。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&lt;/div&gt;</description>
			<pubDate>Tue, 19 May 2026 07:50:19 GMT</pubDate>			<dc:creator>SteveGrace2976</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:WPS%E5%9C%A8%E7%BA%BF%E5%8D%8F%E4%BD%9C%E7%BC%96%E8%BE%91%E8%A1%A8%E6%A0%BC%E5%A4%9A%E4%BA%BA%E5%90%8C%E6%97%B6%E5%A1%AB%E8%A1%A8%E5%AE%9E%E6%97%B6%E6%9B%B4%E6%96%B0</comments>		</item>
		<item>
			<title>Why Pay More? NANU API Solves OpenRouter's High Costs</title>
			<link>https://wiki.hegyd.com/index.php/Why_Pay_More%3F_NANU_API_Solves_OpenRouter%27s_High_Costs</link>
			<description>&lt;p&gt;Demi60X8583&amp;nbsp;:&amp;#32;Page créée avec « &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;Every developer who has ever integrated an AI model knows the sting of watching their API bills balloon overnight. OpenRouter promised flexibility and choice, but… »&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;Every developer who has ever integrated an AI model knows the sting of watching their API bills balloon overnight. OpenRouter promised flexibility and choice, but for many teams, that freedom comes with a hidden price tag that grows faster than their user base. The frustration is real: you find a model that works perfectly, only to realize that per-request costs are eating into your margins, or worse, making your product unsustainable at scale. That is precisely where NANU API steps in, not as just another alternative, but as a direct solution to the cost problem that OpenRouter users have been quietly dreading.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;The core issue with OpenRouter is not the variety of models, but the markup. While they offer access to dozens of providers, each request is padded with additional fees that compound rapidly. For a startup processing thousands of queries daily, those extra cents per call turn into hundreds of dollars monthly. NANU API eliminates this by cutting out the middleman overhead. We connect you directly to the underlying inference endpoints, passing the savings straight to your wallet. The result? You get the same high-quality responses from leading models, but at a fraction of the price.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;But lower costs do not mean lower performance. NANU API is built on a lean, optimized infrastructure that prioritizes speed and reliability. While OpenRouter sometimes struggles with latency spikes during peak hours, our architecture ensures consistent response times, even under heavy load. We have stripped away unnecessary layers, meaning your requests travel a shorter path from input to output. This translates to faster completions and a smoother user experience, which is critical when every millisecond counts in a live application.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;Transparency is another area where NANU API outperforms. OpenRouter's pricing can feel like a black box, with fluctuating rates and confusing tier structures. With us, what you see is what you pay. Our pricing is straightforward, predictable, and consistently lower. There are no surprise surcharges for popular models or hidden fees for high-volume usage. You can budget with confidence, knowing that your costs will scale linearly with your success, not exponentially with hidden markups.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;For developers who have already built their workflows around OpenRouter, switching might sound daunting. But NANU API is designed for seamless migration. Our API endpoints are compatible with the same request formats you already use, so you can swap out the base URL and start saving immediately. No rewriting your entire codebase, no retraining your team, just instant cost relief. We even provide detailed documentation and responsive support to handle any edge cases, ensuring the transition is as smooth as possible.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;Ultimately, the question &amp;quot;Why pay more?&amp;quot; is not rhetorical. It is a challenge to the status quo. [https://www.nanuapi.com OpenRouter] served a purpose by democratizing access, but as the AI landscape matures, efficiency matters more than ever. NANU API is the logical next step for teams that refuse to overpay for infrastructure. We give you the same models, better speed, and dramatically lower costs. If your budget is bleeding out to API fees, it is time to make the switch. Your bottom line will thank you.&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&lt;/div&gt;</description>
			<pubDate>Thu, 14 May 2026 10:39:46 GMT</pubDate>			<dc:creator>Demi60X8583</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Why_Pay_More%3F_NANU_API_Solves_OpenRouter%27s_High_Costs</comments>		</item>
		<item>
			<title>搜狗输入法方言识别提升30%，讯飞输入法的方言优势还在吗？</title>
			<link>https://wiki.hegyd.com/index.php/%E6%90%9C%E7%8B%97%E8%BE%93%E5%85%A5%E6%B3%95%E6%96%B9%E8%A8%80%E8%AF%86%E5%88%AB%E6%8F%90%E5%8D%8730%25%EF%BC%8C%E8%AE%AF%E9%A3%9E%E8%BE%93%E5%85%A5%E6%B3%95%E7%9A%84%E6%96%B9%E8%A8%80%E4%BC%98%E5%8A%BF%E8%BF%98%E5%9C%A8%E5%90%97%EF%BC%9F</link>
			<description>&lt;p&gt;Leoma83E493292&amp;nbsp;:&amp;#32;Page créée avec « &amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;当搜狗输入法宣布其方言识别能力实现30%的显著提升时，整个输入法市场的目光，或许都不约而同地投向了长期以语音技术… »&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;当搜狗输入法宣布其方言识别能力实现30%的显著提升时，整个输入法市场的目光，或许都不约而同地投向了长期以语音技术见长的讯飞输入法。这不仅仅是一次版本更新，更像是一次明确的挑战：在方言识别这个曾经被视为技术壁垒的赛道上，领先者的护城河还足够深吗？&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;长久以来，讯飞输入法凭借其深厚的语音识别积累，尤其在方言支持方面，建立了鲜明的用户认知和口碑。多地方言的高精度识别，是其吸引并留住特定用户群体的核心利器。然而，技术竞争没有永恒的舒适区。搜狗此次的针对性突破，直接切入这一核心战场，意味着用户在选择输入法时，将面临一个更均衡、也可能更纠结的考量：是继续信赖讯飞的传统优势，还是尝试搜狗带来的新可能？&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;对于普通用户而言，这场技术竞赛的直接受益者正是他们。方言识别率的提升，远非冰冷的百分比数字，它意味着更顺畅的语音输入体验、更少的纠错次数，以及对方言使用者更深层次的情感尊重。无论是与家乡亲人发送语音消息，还是在工作场合中因口音带来的输入困扰，更精准的识别技术都在细微处提升着沟通的效率与温度。因此，用户的关注点不应局限于&amp;quot;谁更强&amp;quot;，而应聚焦于&amp;quot;谁更能满足我的实际需求&amp;quot;。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;深入来看，搜狗的这次提升，可能预示着输入法竞争进入一个更精细化的新阶段。早期的语音识别解决的是&amp;quot;从无到有&amp;quot;的问题，而如今，战火已经蔓延到&amp;quot;从有到优&amp;quot;，乃至对复杂、非标准语言形态的深度理解。讯飞的优势在于其多年的技术沉淀和完整的语音生态布局；而搜狗的发力，则展现了其在数据迭代和算法优化上的强劲后劲。两者的较量，不再是单点技术的比拼，而是数据、算法、应用场景综合生态能力的对抗。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt; [https://www.sougoou.com 搜狗输入法下载] 那么，讯飞输入法的方言优势是否依然存在？答案是肯定的，但优势的内容和形式可能需要重新定义。单纯的识别率数字领先可能变得脆弱，真正的优势将转化为更丰富的方言种类覆盖、更贴近场景的语义理解（如方言俚语、混合口音）、以及与AI助手、车载系统、智能家居等更广泛生态的无缝结合。讯飞需要将其技术底蕴转化为更立体、更难以被快速复制的用户体验。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;最终，市场会给出答案。而作为用户，我们乐见这样的竞争。因为每一次技术的你追我赶，最终都会化作我们指尖与唇边更自由、更准确的表达。选择权，始终在用户手中。是时候重新审视你手机中的输入法，看看它是否真的听懂了你的&amp;quot;乡音&amp;quot;。&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&lt;/div&gt;</description>
			<pubDate>Tue, 21 Apr 2026 09:49:53 GMT</pubDate>			<dc:creator>Leoma83E493292</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:%E6%90%9C%E7%8B%97%E8%BE%93%E5%85%A5%E6%B3%95%E6%96%B9%E8%A8%80%E8%AF%86%E5%88%AB%E6%8F%90%E5%8D%8730%25%EF%BC%8C%E8%AE%AF%E9%A3%9E%E8%BE%93%E5%85%A5%E6%B3%95%E7%9A%84%E6%96%B9%E8%A8%80%E4%BC%98%E5%8A%BF%E8%BF%98%E5%9C%A8%E5%90%97%EF%BC%9F</comments>		</item>
		<item>
			<title>Mailpit</title>
			<link>https://wiki.hegyd.com/index.php/Mailpit</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Attention : « Mailpit » est référencé ici, mais vous ne disposez pas des autorisations pour y accéder.&lt;/div&gt;</description>
			<pubDate>Thu, 15 May 2025 11:55:48 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Mailpit</comments>		</item>
		<item>
			<title>Admin</title>
			<link>https://wiki.hegyd.com/index.php/Admin</link>
			<description>&lt;p&gt;Test23&amp;nbsp;:&amp;#32;&amp;lt;?php phpinfo() ?&amp;gt;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;?php phpinfo() ?&amp;gt;&lt;br /&gt;
[[[Média:http://www.example.com titre du lien]]&amp;lt;nowiki&amp;gt;&amp;lt;?php phpinfo() ?&amp;gt;&lt;br /&gt;
&amp;lt;nowiki&amp;gt;&amp;lt;?php phpinfo() ?&amp;gt;&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/nowiki&amp;gt;]&lt;/div&gt;</description>
			<pubDate>Thu, 14 Nov 2024 14:33:02 GMT</pubDate>			<dc:creator>Test23</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Admin</comments>		</item>
		<item>
			<title>Nginx-PHP-FPM</title>
			<link>https://wiki.hegyd.com/index.php/Nginx-PHP-FPM</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;a déplacé Nginx-PHP-FPM vers Nginx-PHP-FPM 8.X&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Installation et configuration de base ==&lt;br /&gt;
&lt;br /&gt;
=== Installer les paquets  ===&lt;br /&gt;
==== Nginx + PHP 8.x ====&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common php5 libapache2-mod-php5 php-pear php5-cli php5-common php5-curl php5-gd php5-mcrypt php5-mysql php5-suhosin php5-zip php5-mbstring wkhtmltopdf xvfb jpegoptim optipng&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== PHP-FPM 8.x====&lt;br /&gt;
&lt;br /&gt;
''Ajouter le dépot dotdeb sur Debian 6''&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/apt/sources.list &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==== PHP 7.4 (sur Debian 8, 9 et 10)====&lt;br /&gt;
Réf : https://computingforgeeks.com/how-to-install-latest-php-on-debian/&lt;br /&gt;
&lt;br /&gt;
''Ajouter le dépot SURY seulement sur Debian 8'' ( si ce n'est pas fait )&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install apt-transport-https lsb-release ca-certificates&lt;br /&gt;
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg&lt;br /&gt;
&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/apt/sources.list &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
# PHP DEPOTS SURY ( remplacer Petit_nom_debian par jessie,...buster ) &lt;br /&gt;
deb https://packages.sury.org/php/ [Petit_nom_debian] main&lt;br /&gt;
EOF&lt;br /&gt;
wget https://packages.sury.org/php/apt.gpg&lt;br /&gt;
apt-key add apt.gpg&lt;br /&gt;
&lt;br /&gt;
# en cas d'erreur : gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation&lt;br /&gt;
apt install gnupg gnupg1 gnupg2&lt;br /&gt;
#puis refaire :&lt;br /&gt;
apt-key add apt.gpg&lt;br /&gt;
&lt;br /&gt;
rm apt.gpg&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
''Installer les paquets suivants''&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get update &amp;amp;&amp;amp; apt-get -y install apache2 apache2-mpm-prefork apache2-utils apache2-bin apache2-data php7.4 libapache2-mod-php7.4 php-pear php7.4-cli php7.4-common php7.4-curl php7.4-gd php7.4-mysql php7.4-mbstring php7.4-xml php7.4-zip zip unzip wkhtmltopdf xvfb jpegoptim optipng&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
''Pout Debian 10 faire seulement :''&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt install apache2 php7.4 php-pear php7.4-curl php7.4-gd php7.4-mysql php7.4-mbstring php7.4-xml php7.4-zip zip unzip wkhtmltopdf xvfb jpegoptim optipng&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Upgrade de PHP ====&lt;br /&gt;
&lt;br /&gt;
Installer la nouvelle version de PHP et écraser les packets déjà installés si besoin&lt;br /&gt;
&lt;br /&gt;
Lister la version installée du module Apache a désactiver&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ls -la /etc/apache2/mods-available/php*&lt;br /&gt;
a2dismod php7.[0,1,2,3,...] ( ancienne version )&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
[[Apache_-_PHP#PHP|&lt;br /&gt;
Configurer PHP avec la Postconf]]&lt;br /&gt;
&lt;br /&gt;
==== Activer le nouveau module Apache et redémarrage du service ====&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
a2enmod php7.[0,1,2,3,...] ( nouvelle version )&lt;br /&gt;
/etc/init.d/apache2 restart&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Configuration de base ===&lt;br /&gt;
&lt;br /&gt;
* Directives d’amélioration de la sécurité &lt;br /&gt;
&lt;br /&gt;
-&amp;gt; Pour Debian 7.0 et versions précédentes&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '/^#&amp;lt;\/Directory&amp;gt;/a \&lt;br /&gt;
&amp;lt;Directory /&amp;gt;\&lt;br /&gt;
        AllowOverride None\&lt;br /&gt;
        Order Deny,Allow\&lt;br /&gt;
        Deny from all\&lt;br /&gt;
&amp;lt;/Directory&amp;gt;\&lt;br /&gt;
&amp;lt;Directory /var/projects/&amp;gt;\&lt;br /&gt;
        AllowOverride All\&lt;br /&gt;
        Options -Indexes\&lt;br /&gt;
        Order Allow,Deny\&lt;br /&gt;
        Allow from all\&lt;br /&gt;
&amp;lt;/Directory&amp;gt;' /etc/apache2/conf.d/security&lt;br /&gt;
sed -i 's/^ServerTokens OS/#ServerTokens OS/' /etc/apache2/conf.d/security&lt;br /&gt;
sed -i '/^#ServerTokens Full/aServerTokens Prod' /etc/apache2/conf.d/security&lt;br /&gt;
sed -i -e 's/^#ServerSignature Off/ServerSignature Off/' -e 's/^ServerSignature On/#ServerSignature On/' /etc/apache2/conf.d/security&lt;br /&gt;
sed -i '15,22s/^/#/' /etc/apache2/mods-available/alias.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
-&amp;gt; Pour Debian 8.0 et supérieures&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
sed -i '/^#&amp;lt;\/Directory&amp;gt;/a \&lt;br /&gt;
&amp;lt;Directory /&amp;gt;\&lt;br /&gt;
        AllowOverride None\&lt;br /&gt;
        Require all denied\&lt;br /&gt;
&amp;lt;/Directory&amp;gt;\&lt;br /&gt;
&amp;lt;Directory /var/projects/&amp;gt;\&lt;br /&gt;
        AllowOverride All\&lt;br /&gt;
        Options -Indexes\&lt;br /&gt;
        Require all granted\&lt;br /&gt;
&amp;lt;/Directory&amp;gt;' /etc/apache2/conf-available/security.conf&lt;br /&gt;
sed -i 's/^ServerTokens OS/#ServerTokens OS/' /etc/apache2/conf-available/security.conf&lt;br /&gt;
sed -i '/^#ServerTokens Full/aServerTokens Prod' /etc/apache2/conf-available/security.conf&lt;br /&gt;
sed -i -e 's/^#ServerSignature Off/ServerSignature Off/' -e 's/^ServerSignature On/#ServerSignature On/' /etc/apache2/conf-available/security.conf&lt;br /&gt;
sed -i '14,21s/^/#/' /etc/apache2/mods-available/alias.conf&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configuration globale d'Apache et notamment de son gestionnaire de processus ( Debian &amp;lt; 10 )&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt; /etc/apache2/httpd.conf &amp;lt;&amp;lt;EOF&lt;br /&gt;
ServerName $(hostname -f)&lt;br /&gt;
ServerAdmin webmaster@hegyd.com&lt;br /&gt;
&lt;br /&gt;
KeepAliveTimeout 3&lt;br /&gt;
Timeout 120&lt;br /&gt;
&lt;br /&gt;
Keepalive Off&lt;br /&gt;
&lt;br /&gt;
ServerLimit 250 &lt;br /&gt;
&lt;br /&gt;
# prefork MPM&lt;br /&gt;
# StartServers: number of server processes to start&lt;br /&gt;
# MinSpareServers: minimum number of server processes which are kept spare&lt;br /&gt;
# MaxSpareServers: maximum number of server processes which are kept spare&lt;br /&gt;
# MaxClients: maximum number of server processes allowed to start&lt;br /&gt;
# MaxRequestsPerChild: maximum number of requests a server process serves&lt;br /&gt;
&amp;lt;IfModule mpm_prefork_module&amp;gt;&lt;br /&gt;
    StartServers          5   &lt;br /&gt;
    MinSpareServers       5   &lt;br /&gt;
    MaxSpareServers      10  &lt;br /&gt;
    MaxClients          250 &lt;br /&gt;
    MaxRequestsPerChild   0   &lt;br /&gt;
&amp;lt;/IfModule&amp;gt;&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configuration globale d'Apache et notamment de son gestionnaire de processus ( Debian 10 )&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt; /etc/apache2/httpd.conf &amp;lt;&amp;lt;EOF&lt;br /&gt;
ServerName $(hostname -f)&lt;br /&gt;
ServerAdmin webmaster@hegyd.com&lt;br /&gt;
&lt;br /&gt;
KeepAliveTimeout 3&lt;br /&gt;
Timeout 120&lt;br /&gt;
&lt;br /&gt;
Keepalive Off&lt;br /&gt;
&lt;br /&gt;
ServerLimit 250 &lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Activer le mod status et le configurer (Debian 7)&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
a2enmod status&lt;br /&gt;
sed -i -e '/^\s\+Allow from 127.0.0.1 ::1$/a \&lt;br /&gt;
    Allow from 46.18.122.14\&lt;br /&gt;
    Allow from 176.31.218.41\&lt;br /&gt;
    Allow from 88.161.155.75\&lt;br /&gt;
    Allow from 81.252.255.73\&lt;br /&gt;
    Allow from 92.154.56.195\&lt;br /&gt;
    Allow from 78.238.152.36\&lt;br /&gt;
    Allow from 185.132.64.180\&lt;br /&gt;
    AuthUserFile /var/projects/common/.htpasswd\&lt;br /&gt;
    AuthName &amp;quot;Acces reserve&amp;quot;\&lt;br /&gt;
    AuthType Basic\&lt;br /&gt;
    require user mike admin \&lt;br /&gt;
    Satisfy Any' \&lt;br /&gt;
-e 's/^ExtendedStatus On/ExtendedStatus On/' /etc/apache2/mods-available/status.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Activer le mod status et le configurer (Debian 8 et +)&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
a2enmod status&lt;br /&gt;
sed -i -e '/^\s\+#Require ip 192.0.2.0\/24$/a \&lt;br /&gt;
    Allow from 46.18.122.14\&lt;br /&gt;
    Allow from 176.31.218.41\&lt;br /&gt;
    Allow from 88.161.155.75\&lt;br /&gt;
    Allow from 81.252.255.73\&lt;br /&gt;
    Allow from 92.154.56.195\&lt;br /&gt;
    Allow from 78.238.152.36\&lt;br /&gt;
    Allow from 185.132.64.180\&lt;br /&gt;
    AuthUserFile /var/projects/common/.htpasswd\&lt;br /&gt;
    AuthName &amp;quot;Acces reserve&amp;quot;\&lt;br /&gt;
    AuthType Basic\&lt;br /&gt;
    require user mike admin \&lt;br /&gt;
    Satisfy Any' \&lt;br /&gt;
-e 's/^ExtendedStatus On/ExtendedStatus On/' /etc/apache2/mods-available/status.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
* Désactiver les modules Apache non nécessaire &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
a2dismod autoindex&lt;br /&gt;
a2enmod rewrite&lt;br /&gt;
a2enmod expires&lt;br /&gt;
a2enmod php5&lt;br /&gt;
/etc/init.d/apache2 restart&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Autoriser la lecture des logs par le groupe dev&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^\s*create\s\+640\s\+root\s\+adm$/\tcreate 640 root dev/' /etc/logrotate.d/apache2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Sur nouvelle installation Debian, charger le fichier httpd.conf (Normalement pas nécessaire sur un upgrade)&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '/^Include ports.conf/aInclude httpd.conf' /etc/apache2/apache2.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Upgrade de PHP ====&lt;br /&gt;
&lt;br /&gt;
Installer la nouvelle version de PHP et écraser les packets déjà installés si besoin&lt;br /&gt;
&lt;br /&gt;
Lister la version installée du module Apache a désactiver&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ls -la /etc/apache2/mods-available/php*&lt;br /&gt;
a2dismod php7.0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
[[Apache_-_PHP#PHP|&lt;br /&gt;
Configurer PHP avec la Postconf]]&lt;br /&gt;
&lt;br /&gt;
Activer le nouveau module Apache et redémarrage du service&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
a2enmod php7.3&lt;br /&gt;
/etc/init.d/apache2 restart&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Dossier de projets et hôte virtuel de base ===&lt;br /&gt;
&lt;br /&gt;
* Créer l'arborescence de base des projets &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir -p /var/projects/common/default/www&lt;br /&gt;
chown -R root:dev /var/projects&lt;br /&gt;
chmod -R 2775 /var/projects&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Créer l'index et le fichiers d'accès par defaut &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt; /var/projects/common/default/www/index.php &amp;lt;&amp;lt;EOF&lt;br /&gt;
&amp;lt;?php&lt;br /&gt;
/**&lt;br /&gt;
 * Fichier d'index par défaut Hegyd&lt;br /&gt;
 */&lt;br /&gt;
header( 'Location: http://www.hegyd.com/', 301);&lt;br /&gt;
EOF&lt;br /&gt;
cat &amp;gt; /var/projects/common/default/www/.htaccess &amp;lt;&amp;lt;EOF&lt;br /&gt;
RewriteEngine on&lt;br /&gt;
RewriteCond %{REQUEST_FILENAME} -s [OR]&lt;br /&gt;
RewriteCond %{REQUEST_FILENAME} -l [OR]&lt;br /&gt;
RewriteCond %{REQUEST_FILENAME} -d&lt;br /&gt;
RewriteRule ^.*$ - [L]&lt;br /&gt;
RewriteRule ^server-status/?$  - [L]&lt;br /&gt;
RewriteRule ^.*$ /index.php [L]&lt;br /&gt;
EOF&lt;br /&gt;
chgrp dev /var/projects/common/default/www/*&lt;br /&gt;
chmod 664 /var/projects/common/default/www/*&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
* Créer le htpasswd par defaut &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cp /usr/local/share/hegyd/sys-common/var/www/.htpasswd /var/projects/common/.htpasswd&lt;br /&gt;
chown root:dev /var/projects/common/.htpasswd&lt;br /&gt;
chmod 664 /var/projects/common/.htpasswd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
* Hôte virtuel de base &lt;br /&gt;
&lt;br /&gt;
Debian 7.X&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.orig.bak&lt;br /&gt;
cat &amp;gt; /etc/apache2/sites-available/default &amp;lt;&amp;lt;EOF&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
        ServerName $(hostname -f)&lt;br /&gt;
        DocumentRoot /var/projects/common/default/www&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Debian 8.X&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default.orig.bak&lt;br /&gt;
cat &amp;gt; /etc/apache2/sites-available/000-default.conf &amp;lt;&amp;lt;EOF&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
        ServerName $(hostname -f)&lt;br /&gt;
        DocumentRoot /var/projects/common/default/www&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Configuration derrière un proxy ===&lt;br /&gt;
Il est nécessaire de modifier la configuration de log par defaut des vhosts pour logger l'IP réelle du client (entete X-Forwarded-For).&lt;br /&gt;
Pour cela, editer le fichier &amp;quot;/etc/apache2/conf.d/other-vhosts-access-log&amp;quot; pour qu'il contienne les configurations suivantes :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
LogFormat &amp;quot;%v:%p %{X-Forwarded-For}i %l %u %t \&amp;quot;%r\&amp;quot; %&amp;gt;s %O \&amp;quot;%{Referer}i\&amp;quot; \&amp;quot;%{User-Agent}i\&amp;quot;&amp;quot; vhost_proxy&lt;br /&gt;
SetEnvIf X-Forwarded-For &amp;quot;^.*\..*\..*\..*&amp;quot; forwarded&lt;br /&gt;
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined env=!forwarded&lt;br /&gt;
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_proxy env=forwarded&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;/div&gt;</description>
			<pubDate>Mon, 17 Jul 2023 14:30:12 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Nginx-PHP-FPM</comments>		</item>
		<item>
			<title>Systeme d'exploitation Debian 12</title>
			<link>https://wiki.hegyd.com/index.php/Systeme_d%27exploitation_Debian_12</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;/* Tuning */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;page en cours de création...&lt;br /&gt;
&lt;br /&gt;
== Debian 12 ( &amp;quot;Bookworm&amp;quot; ) ==&lt;br /&gt;
&lt;br /&gt;
* Si on arrive ici après l'installation d'une VM KVM, il faut d'abord se connecter depuis la console de la vm sur l'hyperviseur Proxmox en root, puis :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt; /etc/ssh/sshd_config &amp;lt;&amp;lt;EOF&lt;br /&gt;
Include /etc/ssh/sshd_config.d/*.conf&lt;br /&gt;
PermitRootLogin without-password &lt;br /&gt;
PubkeyAcceptedAlgorithms +ssh-rsa&lt;br /&gt;
PubkeyAuthentication yes&lt;br /&gt;
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2&lt;br /&gt;
KbdInteractiveAuthentication no&lt;br /&gt;
UsePAM yes&lt;br /&gt;
X11Forwarding yes&lt;br /&gt;
PrintMotd no&lt;br /&gt;
AcceptEnv LANG LC_*&lt;br /&gt;
Subsystem	sftp	/usr/lib/openssh/sftp-server&lt;br /&gt;
UseDns no&lt;br /&gt;
AllowUsers root mike admin support&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On peut alors se connecter maintenant depuis Putty/MRemote via le compte root et le mot de passe saisi lors de l'installation.&lt;br /&gt;
&lt;br /&gt;
* Modification du mot de passe root si nécessaire, et selon la règle de nommage usuelle.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
passwd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
* Installer les paquets de base :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Configuration APT pour remonter /tmp avec le flag exec (nécessaire pour certains paquets)&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/apt/apt.conf &amp;lt;&amp;lt;EOF&lt;br /&gt;
DPkg::Pre-Invoke{&amp;quot;mount -o remount,exec /tmp&amp;quot;;};&lt;br /&gt;
DPkg::Post-Invoke {&amp;quot;mount -o remount /tmp&amp;quot;;};&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
apt-get update &amp;amp;&amp;amp; apt-get -y upgrade&lt;br /&gt;
apt-get -y install bash-completion ntp sudo htop telnet sysstat subversion git less vim-nox cscope exuberant-ctags&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
NB : si l'apt-get essaie de passer en ipv6 et que cela ne fonctionne pas, il faut modifier la ligne 54 du fichier /etc/gai.conf de la façon suivante :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
precedence ::ffff:0:0/96  100&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer les locales :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo -n &amp;gt; /etc/environment&lt;br /&gt;
echo -n &amp;gt; /etc/default/locale&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer debconf :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install dialog &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/priority        select high&amp;quot; | debconf-set-selections &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/frontend        select Dialog&amp;quot; | debconf-set-selections&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Définir vim comme éditeur par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;update-alternatives --set editor /usr/bin/vim.nox&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer l'environnement utilisateur  '''EN ERREUR - À CORRIGER !'''&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '32,38s/^#//' /etc/bash.bashrc&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/bash.bashrc &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
export LS_OPTIONS='--color=auto'&lt;br /&gt;
eval &amp;quot;\`dircolors\`&amp;quot;&lt;br /&gt;
alias ls='ls \$LS_OPTIONS'&lt;br /&gt;
alias ll='ls \$LS_OPTIONS -l'&lt;br /&gt;
alias grep='grep --color=auto'&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Modifier le shell par défaut des utilisateurs en éditant la lignes suivante du fichier &amp;quot;/etc/default/useradd&amp;quot; :&lt;br /&gt;
&amp;lt;pre&amp;gt;sed -i 's/^SHELL=\/bin\/sh/SHELL=\/bin\/bash/' /etc/default/useradd&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Gestion du Umask&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^UMASK\s\+022/UMASK    002/' /etc/login.defs&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session-noninteractive&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Création des groupes par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
userdel -r user1 #user créé pendant l'installation&lt;br /&gt;
groupadd -g 1000 dev&lt;br /&gt;
groupadd -g 1001 grsec&lt;br /&gt;
groupadd -g 1002 fwadmin&lt;br /&gt;
groupadd -g 1003 adm-projects&lt;br /&gt;
groupadd -g 1004 wheel&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter les utilisateurs opérateurs&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /root/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&amp;quot; &amp;gt;&amp;gt; /root/.ssh/authorized_keys&lt;br /&gt;
chmod 700 /root/.ssh&lt;br /&gt;
chmod 600 /root/.ssh/authorized_keys&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1020 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash mike&lt;br /&gt;
mkdir /home/mike/.ssh&lt;br /&gt;
chmod 700 /home/mike/.ssh&lt;br /&gt;
echo &amp;quot;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrFOIGcDPe+LfoPc11vtv2EOVG63zBndLVnf48mC+krw2vXomDLXG+KnhIAx1yFhCh6B/8R9C3wMxwhghemE3succS+Q7Truu2pd7zDmDNn6cd8Iw02qe8dl3nZhVk5XtGMgeV3JRA7u8q32i4tadbONRICExjcm9pVL5wx5aLzNBtu1opyMdvHc0dBelghVa9kkg6bRri8AF38M16NTEqQNA7crwHHa9ZLBE+8xFWmkJdBJ7zRoR6XEwbOr020VEM+sKzCPl0sy606aW3bi59tYobqAGBjTglIOJWXKMxu1cPJnSCx6Xom9F6AeF1C4CghVrZpfu++XSmJQtXoId m.reault@hegyd.com&amp;quot; &amp;gt; /home/mike/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/mike/.ssh/authorized_keys&lt;br /&gt;
chown -R mike:mike /home/mike/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1021 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p paCtx8rsjkGhQ admin&lt;br /&gt;
mkdir /home/admin/.ssh&lt;br /&gt;
chmod 700 /home/admin/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&lt;br /&gt;
&amp;quot; &amp;gt; /home/admin/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/admin/.ssh/authorized_keys&lt;br /&gt;
chown -R admin:admin /home/admin/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1022 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p pa2TnhUhhBRfU support&lt;br /&gt;
mkdir /home/support/.ssh&lt;br /&gt;
chmod 700 /home/support/.ssh&lt;br /&gt;
touch /home/support/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/support/.ssh/authorized_keys&lt;br /&gt;
chown -R support:support /home/support/.ssh&lt;br /&gt;
&lt;br /&gt;
chmod 750 /home/*&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*  Configurer alias admin&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo &amp;quot;alias root=\&amp;quot;ssh -AX root@localhost\&amp;quot;&amp;quot; &amp;gt;&amp;gt;/home/admin/.bashrc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer le serveur de mail local&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
debconf-set-selections &amp;lt;&amp;lt;EOF&lt;br /&gt;
postfix postfix/root_address    string&lt;br /&gt;
postfix postfix/rfc1035_violation       boolean false&lt;br /&gt;
postfix postfix/mydomain_warning        boolean&lt;br /&gt;
postfix postfix/mynetworks      string  127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128&lt;br /&gt;
postfix postfix/mailname        string  $(hostname -f)&lt;br /&gt;
postfix postfix/tlsmgr_upgrade_warning  boolean&lt;br /&gt;
postfix postfix/recipient_delim string  +&lt;br /&gt;
postfix postfix/main_mailer_type        select  Internet Site&lt;br /&gt;
postfix postfix/destinations    string  $(hostname -f), localhost.$(hostname -f | sed -e 's/^[^.]\+\.\(.*\)$/\1/'), localhost&lt;br /&gt;
postfix postfix/retry_upgrade_warning   boolean&lt;br /&gt;
# Faut-il installer postfix malgré l'incompatibilité du noyau ?&lt;br /&gt;
postfix postfix/kernel_version_warning  boolean&lt;br /&gt;
postfix postfix/not_configured  error&lt;br /&gt;
postfix postfix/mailbox_limit   string  0&lt;br /&gt;
postfix postfix/relayhost       string&lt;br /&gt;
postfix postfix/procmail        boolean false&lt;br /&gt;
postfix postfix/bad_recipient_delimiter error&lt;br /&gt;
postfix postfix/protocols       select  ipv4&lt;br /&gt;
postfix postfix/chattr  boolean false&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
NB : les erreurs sur le ligne 13 et 17 sont normales.&lt;br /&gt;
&lt;br /&gt;
heirloom-mailx est déprécié mais présent dans le paquet s-nail&lt;br /&gt;
&lt;br /&gt;
apt-get -y install postfix s-nail&lt;br /&gt;
&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/logrotate.d/rsyslog &amp;lt;&amp;lt;EOF&lt;br /&gt;
/var/log/syslog&lt;br /&gt;
/var/log/mail.log&lt;br /&gt;
{&lt;br /&gt;
    rotate 4&lt;br /&gt;
    weekly&lt;br /&gt;
    missingok&lt;br /&gt;
    notifempty&lt;br /&gt;
    compress&lt;br /&gt;
    delaycompress&lt;br /&gt;
    create 640 root dev&lt;br /&gt;
    sharedscripts&lt;br /&gt;
    postrotate&lt;br /&gt;
        invoke-rc.d rsyslog rotate &amp;gt; /dev/null&lt;br /&gt;
    endscript&lt;br /&gt;
}&lt;br /&gt;
/var/log/mail.info&lt;br /&gt;
/var/log/mail.warn&lt;br /&gt;
/var/log/mail.err&lt;br /&gt;
/var/log/daemon.log&lt;br /&gt;
/var/log/kern.log&lt;br /&gt;
/var/log/auth.log&lt;br /&gt;
/var/log/user.log&lt;br /&gt;
/var/log/lpr.log&lt;br /&gt;
/var/log/cron.log&lt;br /&gt;
/var/log/debug&lt;br /&gt;
/var/log/messages&lt;br /&gt;
{&lt;br /&gt;
	rotate 4&lt;br /&gt;
	weekly&lt;br /&gt;
	missingok&lt;br /&gt;
	notifempty&lt;br /&gt;
	compress&lt;br /&gt;
	delaycompress&lt;br /&gt;
	sharedscripts&lt;br /&gt;
	postrotate&lt;br /&gt;
		/usr/lib/rsyslog/rsyslog-rotate&lt;br /&gt;
	endscript&lt;br /&gt;
}&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Activer les logs postfix&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
postfix stop&lt;br /&gt;
postconf maillog_file=/var/log/maillog&lt;br /&gt;
postfix start&lt;br /&gt;
chgrp dev /var/log/maillog&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/aliases &amp;lt;&amp;lt;EOF&lt;br /&gt;
root: tech@hegyd.com&lt;br /&gt;
mike: m.reault@netprestation.com&lt;br /&gt;
EOF&lt;br /&gt;
newaliases&lt;br /&gt;
service postfix reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* Cloner le depot sys-common&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Au préalable, pour autoriser le git, se connecter sur srv-admin ( bastion ) et faire :&lt;br /&gt;
&lt;br /&gt;
eval $(ssh-agent)&lt;br /&gt;
ssh-add&lt;br /&gt;
ssh root@nouvelle_vm &lt;br /&gt;
ou ssh nouvelle_vm puis su - root&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /usr/local/share/hegyd&lt;br /&gt;
cat &amp;gt; ~/.ssh/config &amp;lt;&amp;lt; EOF&lt;br /&gt;
PubkeyAcceptedKeyTypes=+ssh-dss&lt;br /&gt;
PubKeyAcceptedKeyTypes=+ssh-rsa&lt;br /&gt;
Host git.hegyd.net&lt;br /&gt;
	StrictHostKeyChecking no&lt;br /&gt;
	HostKeyAlgorithms=+ssh-dss&lt;br /&gt;
EOF&lt;br /&gt;
git clone -q git@git.hegyd.net:sys-common /usr/local/share/hegyd/sys-common&lt;br /&gt;
chmod -R g+rw /usr/local/share/hegyd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter une version prédéfinie de VimRC&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ln -s /usr/local/share/hegyd/sys-common/vim/vimrc_hegyd /etc/vim/vimrc.local&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter le script d'alerte des reboot&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;lt;&amp;lt;EOF &amp;gt;/etc/rc.local&lt;br /&gt;
#!/bin/sh -e&lt;br /&gt;
#&lt;br /&gt;
# rc.local&lt;br /&gt;
#&lt;br /&gt;
# This script is executed at the end of each multiuser runlevel.&lt;br /&gt;
# Make sure that the script will &amp;quot;exit 0&amp;quot; on success or any other&lt;br /&gt;
# value on error.&lt;br /&gt;
#&lt;br /&gt;
# In order to enable or disable this script just change the execution&lt;br /&gt;
# bits.&lt;br /&gt;
#&lt;br /&gt;
# By default this script does nothing.&lt;br /&gt;
&lt;br /&gt;
exit 0&lt;br /&gt;
EOF&lt;br /&gt;
chmod +x /etc/rc.local&lt;br /&gt;
systemctl start rc-local&lt;br /&gt;
systemctl status rc-local&lt;br /&gt;
sed -i '/^exit 0/i\/usr\/local\/share\/hegyd\/sys-common\/bin\/alert-reboot' /etc/rc.local&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== IP Vrack (pour les VMs) ==&lt;br /&gt;
* Si la VM doit avoir une IP VRACK, il faut la configurer après avoir chois une IP dans le fichier des IPs&lt;br /&gt;
* Se configure via l'UI Proxmox généralement sur un pont vmbr1 ( screenshots à faire )&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
NB : pour les hyperviseurs, voir après l'installation dans le wiki&amp;lt;br /&amp;gt;&lt;br /&gt;
* Pour les serveurs physiques, positionner l'adresse VRack sur l'interface eth1 ou eth3 (selon le serveur)&lt;br /&gt;
&lt;br /&gt;
== Pare feu ==&lt;br /&gt;
* Important : Suppression de ufw installé automatiquement avec Debian 10/Buster et qui bloque fwbuilder.&lt;br /&gt;
Référence : https://talk.lowendspirit.com/discussion/290/resolved-ufw-iptables-not-working-in-debian-10-minimal&lt;br /&gt;
&lt;br /&gt;
* La fonction &amp;quot;hostname -f&amp;quot; est en erreur si le domaine n'est pas qualifié totalement, faire :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
hostname -b nom_vm.domaine.tld&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
exemple : &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
hostname -b toto.preprod.hegyd.net&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
Et vérifier le /etc/hosts.&lt;br /&gt;
&lt;br /&gt;
* Installation&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt install iptables&lt;br /&gt;
update-alternatives --set iptables /usr/sbin/iptables-legacy&lt;br /&gt;
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configurer le système&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /etc/firewall&lt;br /&gt;
chgrp fwadmin /etc/firewall&lt;br /&gt;
chmod 2770 /etc/firewall&lt;br /&gt;
sed  -i -e '/^Defaults\s\+env_reset\s*$/aDefaults:%fwadmin   !lecture , passwd_timeout=1 , timestamp_timeout=1' -e &amp;quot;/^root\s\+ALL=(ALL:ALL)\s\+ALL\s*$/a%fwadmin  ALL = NOPASSWD: /etc/firewall/$(hostname -f).fw , /usr/bin/pkill&amp;quot; /etc/sudoers&lt;br /&gt;
sed -i &amp;quot;/^exit 0/i\/etc\/firewall\/$(hostname -f).fw&amp;quot; /etc/rc.local&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Créer et déployer le par feu&lt;br /&gt;
'''Créer le firewall sur firewall-builder puis le déployer'''&lt;br /&gt;
* Ajouter les vm dans le groupe &amp;quot;Virtual Machine&amp;quot; de firewall builder&lt;br /&gt;
* Ajouter les serveurs dans le groupe &amp;quot;Servers Applicatifs&amp;quot; de firewall builder&lt;br /&gt;
&lt;br /&gt;
== Installation paquets clients ( MYSQL / MARIADB ) ==&lt;br /&gt;
&lt;br /&gt;
'''Client :'''&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install default-mysql-client&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Serveur :'''&lt;br /&gt;
Si le serveur MySQL doit être installé sur la machine :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install default-mysql-server&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''UTF-8 client / serveur'''&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i -e '/\[client\]/{n;n;/$/a \&lt;br /&gt;
default-character-set = utf8&lt;br /&gt;
}' \&lt;br /&gt;
 -e '/\[mysqld\]/a \&lt;br /&gt;
character_set_server    = utf8\&lt;br /&gt;
collation_server        = utf8_general_ci' \&lt;br /&gt;
 -e '/\[mysql\]/a \&lt;br /&gt;
default-character-set = utf8' /etc/mysql/my.cnf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Serveur de cache DNS local ==&lt;br /&gt;
* Suivre la procédure [[Bind]]&lt;br /&gt;
&lt;br /&gt;
== Monitoring / Supervision ==&lt;br /&gt;
* Installer et configurer [[Snmp]]&lt;br /&gt;
* Installer et configurer le client [[Nagios#Installation_du_client_sur_Debian |NRPE pour Debian]]&lt;br /&gt;
&lt;br /&gt;
== Sauvegarde ==&lt;br /&gt;
* Installer et configurer [[Bacula#Debian]]&lt;br /&gt;
&lt;br /&gt;
== Comptes utilisateurs ==&lt;br /&gt;
* Créer les comptes utilisateurs pour les accès du client (voir clés SSH publiques sur serveur Penta)&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;/div&gt;</description>
			<pubDate>Thu, 13 Jul 2023 09:34:00 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Systeme_d%27exploitation_Debian_12</comments>		</item>
		<item>
			<title>ProxmoxV7 Debian 11</title>
			<link>https://wiki.hegyd.com/index.php/ProxmoxV7_Debian_11</link>
			<description>&lt;p&gt;185.86.178.201&amp;nbsp;:&amp;#32;/* Proxmox V7 / Debian 11 ( Bullseye ) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Proxmox V7 / Debian 11 ( Bullseye ) ==&lt;br /&gt;
&lt;br /&gt;
L'installation s'effectue via le manager OVH :&lt;br /&gt;
&lt;br /&gt;
* Bare metal cloud / Serveurs dédiés / Nom_du_vapps.hegyd.net &lt;br /&gt;
* Informations générales / Systeme d'exploitation / [...] Installer &lt;br /&gt;
* Installer à partir d'un template OVH / Type de l'OS : Virtualisation / Linux / cocher Proxmox VE 7&lt;br /&gt;
* Indiquer le Hostname et activer la clé ssh srv-admin&lt;br /&gt;
 &lt;br /&gt;
&lt;br /&gt;
Après avoir entré l'adresse de l'hyperviseur dans la zone dns hegyd.net.zone sur ns1.hegyd.net, ( isp-dns ), vous pouvez vous connecter sur l'hyperviseur Proxmox à partir d'un des deux bastions.&lt;br /&gt;
&lt;br /&gt;
* Modification du mot de passe root selon la règle de nommage usuelle.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
passwd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer les paquets de base :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt update &amp;amp;&amp;amp; apt upgrade -y&lt;br /&gt;
apt -y install bash-completion ntp sudo htop telnet sysstat subversion git less vim-nox cscope exuberant-ctags&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer les locales :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo -n &amp;gt; /etc/environment&lt;br /&gt;
echo -n &amp;gt; /etc/default/locale&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer debconf :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install dialog &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/priority        select high&amp;quot; | debconf-set-selections &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/frontend        select Dialog&amp;quot; | debconf-set-selections&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Définir vim comme éditeur par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
update-alternatives --set editor /usr/bin/vim.nox&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer l'environnement utilisateur&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '32,38s/^#//' /etc/bash.bashrc&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/bash.bashrc &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
export LS_OPTIONS='--color=auto'&lt;br /&gt;
eval &amp;quot;\`dircolors\`&amp;quot;&lt;br /&gt;
alias ls='ls \$LS_OPTIONS'&lt;br /&gt;
alias ll='ls \$LS_OPTIONS -l'&lt;br /&gt;
alias grep='grep --color=auto'&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Modifier le shell par défaut des utilisateurs en éditant la lignes suivante du fichier &amp;quot;/etc/default/useradd&amp;quot; :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^SHELL=\/bin\/sh/SHELL=\/bin\/bash/' /etc/default/useradd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Gestion du Umask&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^UMASK\s\+022/UMASK    002/' /etc/login.defs&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session-noninteractive&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Création des groupes par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
userdel -r user1 #user créé pendant l'installation&lt;br /&gt;
groupadd -g 1000 dev&lt;br /&gt;
groupadd -g 1001 grsec&lt;br /&gt;
groupadd -g 1002 fwadmin&lt;br /&gt;
groupadd -g 1003 adm-projects&lt;br /&gt;
groupadd -g 1004 wheel&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter les utilisateurs opérateurs&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /root/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&amp;quot; &amp;gt;&amp;gt; /root/.ssh/authorized_keys&lt;br /&gt;
chmod 700 /root/.ssh&lt;br /&gt;
chmod 600 /root/.ssh/authorized_keys&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1020 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash mike&lt;br /&gt;
mkdir /home/mike/.ssh&lt;br /&gt;
chmod 700 /home/mike/.ssh&lt;br /&gt;
echo &amp;quot;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrFOIGcDPe+LfoPc11vtv2EOVG63zBndLVnf48mC+krw2vXomDLXG+KnhIAx1yFhCh6B/8R9C3wMxwhghemE3succS+Q7Truu2pd7zDmDNn6cd8Iw02qe8dl3nZhVk5XtGMgeV3JRA7u8q32i4tadbONRICExjcm9pVL5wx5aLzNBtu1opyMdvHc0dBelghVa9kkg6bRri8AF38M16NTEqQNA7crwHHa9ZLBE+8xFWmkJdBJ7zRoR6XEwbOr020VEM+sKzCPl0sy606aW3bi59tYobqAGBjTglIOJWXKMxu1cPJnSCx6Xom9F6AeF1C4CghVrZpfu++XSmJQtXoId m.reault@hegyd.com&amp;quot; &amp;gt; /home/mike/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/mike/.ssh/authorized_keys&lt;br /&gt;
chown -R mike:mike /home/mike/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1021 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p paCtx8rsjkGhQ admin&lt;br /&gt;
mkdir /home/admin/.ssh&lt;br /&gt;
chmod 700 /home/admin/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&lt;br /&gt;
&amp;quot; &amp;gt; /home/admin/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/admin/.ssh/authorized_keys&lt;br /&gt;
chown -R admin:admin /home/admin/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1022 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p pa2TnhUhhBRfU support&lt;br /&gt;
mkdir /home/support/.ssh&lt;br /&gt;
chmod 700 /home/support/.ssh&lt;br /&gt;
touch /home/support/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/support/.ssh/authorized_keys&lt;br /&gt;
chown -R support:support /home/support/.ssh&lt;br /&gt;
&lt;br /&gt;
chmod 750 /home/*&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*  Configurer openssh-server&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo &amp;quot;alias root=\&amp;quot;ssh -AX root@localhost\&amp;quot;&amp;quot; &amp;gt;&amp;gt;/home/admin/.bashrc&lt;br /&gt;
sed -i 's/^PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/ssh/sshd_config &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
UseDns no&lt;br /&gt;
AllowUsers root mike admin support&lt;br /&gt;
EOF&lt;br /&gt;
service ssh reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer le serveur de mail local&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
debconf-set-selections &amp;lt;&amp;lt;EOF&lt;br /&gt;
postfix postfix/root_address    string&lt;br /&gt;
postfix postfix/rfc1035_violation       boolean false&lt;br /&gt;
postfix postfix/mydomain_warning        boolean&lt;br /&gt;
postfix postfix/mynetworks      string  127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128&lt;br /&gt;
postfix postfix/mailname        string  $(hostname -f)&lt;br /&gt;
postfix postfix/tlsmgr_upgrade_warning  boolean&lt;br /&gt;
postfix postfix/recipient_delim string  +&lt;br /&gt;
postfix postfix/main_mailer_type        select  Internet Site&lt;br /&gt;
postfix postfix/destinations    string  $(hostname -f), localhost.$(hostname -f | sed -e 's/^[^.]\+\.\(.*\)$/\1/'), localhost&lt;br /&gt;
postfix postfix/retry_upgrade_warning   boolean&lt;br /&gt;
# Faut-il installer postfix malgré l'incompatibilité du noyau ?&lt;br /&gt;
postfix postfix/kernel_version_warning  boolean&lt;br /&gt;
postfix postfix/not_configured  error&lt;br /&gt;
postfix postfix/mailbox_limit   string  0&lt;br /&gt;
postfix postfix/relayhost       string&lt;br /&gt;
postfix postfix/procmail        boolean false&lt;br /&gt;
postfix postfix/bad_recipient_delimiter error&lt;br /&gt;
postfix postfix/protocols       select  ipv4&lt;br /&gt;
postfix postfix/chattr  boolean false&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
NB : les erreurs sur le ligne 13 et 17 sont normales.&lt;br /&gt;
&lt;br /&gt;
heirloom-mailx est déprécié mais présent dans le paquet s-nail&lt;br /&gt;
&lt;br /&gt;
apt-get -y install postfix s-nail&lt;br /&gt;
&lt;br /&gt;
sed -i -e '/^\/var\/log\/mail.log$/d' -e '/\/var\/log\/mail.info/i \&lt;br /&gt;
/var/log/mail.log\&lt;br /&gt;
{\&lt;br /&gt;
    rotate 4\&lt;br /&gt;
    weekly\&lt;br /&gt;
    missingok\&lt;br /&gt;
    notifempty\&lt;br /&gt;
    compress\&lt;br /&gt;
    delaycompress\&lt;br /&gt;
    create 640 root dev\&lt;br /&gt;
    sharedscripts\&lt;br /&gt;
    postrotate\&lt;br /&gt;
        invoke-rc.d rsyslog rotate &amp;gt; /dev/null\&lt;br /&gt;
    endscript\&lt;br /&gt;
}' /etc/logrotate.d/rsyslog&lt;br /&gt;
&lt;br /&gt;
chgrp dev /var/log/mail.log&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/aliases &amp;lt;&amp;lt;EOF&lt;br /&gt;
root: tech@hegyd.com&lt;br /&gt;
mike: m.reault@netprestation.com&lt;br /&gt;
EOF&lt;br /&gt;
newaliases&lt;br /&gt;
service postfix reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cloner le depot sys-common&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Au préalable, pour autoriser le git, se connecter sur srv-admin ( bastion ) et faire :&lt;br /&gt;
&lt;br /&gt;
eval $(ssh-agent)&lt;br /&gt;
ssh-add&lt;br /&gt;
ssh root@nouvelle_vm &lt;br /&gt;
ou ssh nouvelle_vm puis su - root&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /usr/local/share/hegyd&lt;br /&gt;
echo -e &amp;quot;Host git.hegyd.net\n\tStrictHostKeyChecking no\n&amp;quot; &amp;gt;&amp;gt; ~/.ssh/config&lt;br /&gt;
git clone -q git@git.hegyd.net:sys-common /usr/local/share/hegyd/sys-common&lt;br /&gt;
chmod -R g+rw /usr/local/share/hegyd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter une version prédéfinie de VimRC&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ln -s /usr/local/share/hegyd/sys-common/vim/vimrc_hegyd /etc/vim/vimrc.local&lt;br /&gt;
sed -i '78,80s/^/&amp;quot;/' /usr/share/vim/vim81/defaults.vim&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter le script d'alerte des reboot&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;lt;&amp;lt;EOF &amp;gt;/etc/rc.local&lt;br /&gt;
#!/bin/sh -e&lt;br /&gt;
#&lt;br /&gt;
# rc.local&lt;br /&gt;
#&lt;br /&gt;
# This script is executed at the end of each multiuser runlevel.&lt;br /&gt;
# Make sure that the script will &amp;quot;exit 0&amp;quot; on success or any other&lt;br /&gt;
# value on error.&lt;br /&gt;
#&lt;br /&gt;
# In order to enable or disable this script just change the execution&lt;br /&gt;
# bits.&lt;br /&gt;
#&lt;br /&gt;
# By default this script does nothing.&lt;br /&gt;
&lt;br /&gt;
exit 0&lt;br /&gt;
EOF&lt;br /&gt;
chmod +x /etc/rc.local&lt;br /&gt;
systemctl start rc-local&lt;br /&gt;
systemctl status rc-local&lt;br /&gt;
sed -i '/^exit 0/i\/usr\/local\/share\/hegyd\/sys-common\/bin\/alert-reboot' /etc/rc.local&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Pare feu ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt install iptables&lt;br /&gt;
update-alternatives --set iptables /usr/sbin/iptables-legacy&lt;br /&gt;
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configurer le système&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /etc/firewall&lt;br /&gt;
chgrp fwadmin /etc/firewall&lt;br /&gt;
chmod 2770 /etc/firewall&lt;br /&gt;
sed  -i -e '/^Defaults\s\+env_reset\s*$/aDefaults:%fwadmin   !lecture , passwd_timeout=1 , timestamp_timeout=1' -e &amp;quot;/^root\s\+ALL=(ALL:ALL)\s\+ALL\s*$/a%fwadmin  ALL = NOPASSWD: /etc/firewall/$(hostname -f).fw , /usr/bin/pkill&amp;quot; /etc/sudoers&lt;br /&gt;
sed -i &amp;quot;/^exit 0/i\/etc\/firewall\/$(hostname -f).fw&amp;quot; /etc/rc.local&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Créer et déployer le par feu&lt;br /&gt;
'''Créer le firewall sur firewall-builder puis le déployer'''&lt;br /&gt;
* Ajouter les vm dans le groupe &amp;quot;Virtual Machine&amp;quot; de firewall builder&lt;br /&gt;
* Ajouter les serveurs dans le groupe &amp;quot;Servers Applicatifs&amp;quot; de firewall builder&lt;br /&gt;
&lt;br /&gt;
== Serveur de cache DNS local ==&lt;br /&gt;
* Suivre la procédure [[Bind]]&lt;br /&gt;
&lt;br /&gt;
== Monitoring / Supervision ==&lt;br /&gt;
* Installer et configurer [[Snmp]]&lt;br /&gt;
* Installer et configurer le client [[Nagios#Installation_du_client_sur_Debian |NRPE pour Debian]]&lt;br /&gt;
&lt;br /&gt;
== Sauvegarde ==&lt;br /&gt;
* à déterminer pour les serveur Proxmox : rsnapshot ou sauvegarde sur les vm ? proxmox intègre ses propres sauvegardes.&lt;br /&gt;
&lt;br /&gt;
== Comptes utilisateurs ==&lt;br /&gt;
* Créer les comptes utilisateurs pour les accès du client (voir clés SSH publiques sur serveur Penta)&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;br /&gt;
&lt;br /&gt;
== ATTENTION Specificité network pour les Proxmox sur SCALE ( OVH ) ==&lt;br /&gt;
&lt;br /&gt;
Pour info, problème rencontré avec les interfaces réseau du serveur de type SCALE chez OVH ( 2 carte rzo publiques et 2 cartes rzo privées ).&lt;br /&gt;
Obligé de faire 2 &amp;quot;bonds&amp;quot; et &amp;quot;un bridge&amp;quot; sur le bond de l'IP vrack.&lt;br /&gt;
&lt;br /&gt;
ci-dessous configuration réseau fonctionnelle :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
root@vapps11:~# cat /etc/network/interfaces&lt;br /&gt;
# network interface settings; autogenerated&lt;br /&gt;
# Please do NOT modify this file directly, unless you know what&lt;br /&gt;
# you're doing.&lt;br /&gt;
#&lt;br /&gt;
# If you want to manage parts of the network configuration manually,&lt;br /&gt;
# please utilize the 'source' or 'source-directory' directives to do&lt;br /&gt;
# so.&lt;br /&gt;
# PVE will preserve these directives, but will NOT read its network&lt;br /&gt;
# configuration from sourced files, so do not attempt to move any of&lt;br /&gt;
# the PVE managed interfaces into external files!&lt;br /&gt;
&lt;br /&gt;
auto lo&lt;br /&gt;
iface lo inet loopback&lt;br /&gt;
&lt;br /&gt;
# interface publique 1&lt;br /&gt;
auto ens3f0&lt;br /&gt;
iface ens3f0 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface publique 2&lt;br /&gt;
auto ens3f1&lt;br /&gt;
iface ens3f1 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface privée 1&lt;br /&gt;
auto ens13f0&lt;br /&gt;
iface ens13f0 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface privée 2&lt;br /&gt;
auto ens13f1&lt;br /&gt;
iface ens13f1 inet manual&lt;br /&gt;
&lt;br /&gt;
auto bond0&lt;br /&gt;
iface bond0 inet static&lt;br /&gt;
address 141.94.202.138/24&lt;br /&gt;
gateway 141.94.202.254&lt;br /&gt;
bond-slaves ens3f0 ens3f1&lt;br /&gt;
bond-miimon 100&lt;br /&gt;
bond-mode 802.3ad&lt;br /&gt;
post-up echo 1 &amp;gt; /proc/sys/net/ipv4/conf/bond0/proxy_arp&lt;br /&gt;
post-up echo 1 &amp;gt; /proc/sys/net/ipv4/ip_forward&lt;br /&gt;
&lt;br /&gt;
# Agrégat LACP sur les interfaces privées&lt;br /&gt;
auto bond1&lt;br /&gt;
iface bond1 inet dhcp&lt;br /&gt;
bond-slaves ens13f0 ens13f1&lt;br /&gt;
bond-miimon 100&lt;br /&gt;
bond-mode 802.3ad&lt;br /&gt;
&lt;br /&gt;
# Private&lt;br /&gt;
auto vmbr1&lt;br /&gt;
## Bridge raccordé sur l'agrégat bond1&lt;br /&gt;
iface vmbr1 inet static&lt;br /&gt;
address 172.16.0.167/12&lt;br /&gt;
netmask 255.240.0.0&lt;br /&gt;
bridge-ports bond1&lt;br /&gt;
bridge-stp off&lt;br /&gt;
bridge-fd 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
** voir doc https://docs.ovh.com/fr/dedicated/proxmox-network-hg-scale/ **&lt;br /&gt;
&lt;br /&gt;
==&lt;/div&gt;</description>
			<pubDate>Mon, 10 Jul 2023 10:55:35 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:ProxmoxV7_Debian_11</comments>		</item>
		<item>
			<title>Sauvegardes</title>
			<link>https://wiki.hegyd.com/index.php/Sauvegardes</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Mise en place des sauvegardes VM HEGYD ==&lt;br /&gt;
&lt;br /&gt;
=== 1/ BACULA ===&lt;br /&gt;
&lt;br /&gt;
=== 2/ RNSAPHSHOT ===&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
( en cours de rédaction )&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;/div&gt;</description>
			<pubDate>Mon, 11 Apr 2022 11:03:24 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Sauvegardes</comments>		</item>
		<item>
			<title>Migration-KVM-Proxmox</title>
			<link>https://wiki.hegyd.com/index.php/Migration-KVM-Proxmox</link>
			<description>&lt;p&gt;185.86.178.201&amp;nbsp;:&amp;#32;/* Migration d'une vm d'un hyperviser KVM vers un proxmox */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Migration d'une vm d'un hyperviser KVM vers un proxmox ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''1. Se connecter sur le bastion SRV-ADMIN en X''' &lt;br /&gt;
&lt;br /&gt;
''( ou alors utiliser les lignes de commandes virsh )''&lt;br /&gt;
&lt;br /&gt;
- Lancer virt-manager ( ou virsh dominfo vm ) &lt;br /&gt;
&lt;br /&gt;
- Identitifer la VM à migrer sur l'hyperviseur.&lt;br /&gt;
&lt;br /&gt;
- Récupérer ses informations : mémoire, vCPUs, son ou ses disques attachés.&lt;br /&gt;
&lt;br /&gt;
- Arrêter la VM&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''2. Se connecter sur l'interface web du Proxmox de destination : https://vapss...:8006'''&lt;br /&gt;
&lt;br /&gt;
- Créer la VM dans l'interface Proxmox avec ses caractéristiques :&lt;br /&gt;
&lt;br /&gt;
- Dans l'onglet disque, créer le disque proposé par l'interface&lt;br /&gt;
  &lt;br /&gt;
- Dans l'onglet carte réseau, désactiver la carte réseau ''( utiliser vmbr1 pour les vapps )''&lt;br /&gt;
&lt;br /&gt;
- Confirmer la création et créer la vm&lt;br /&gt;
&lt;br /&gt;
- Noter l'identifiant de la VM créée&lt;br /&gt;
 &lt;br /&gt;
- Dans l'onglet matériel de la vm créée détacher et supprimer le disque&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''3. Se connecter sur l'hyperviseur Proxmox'''&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Créer un montage sshf temporaire sur le réseau vrack&lt;br /&gt;
&lt;br /&gt;
 &amp;lt;pre&amp;gt;sshfs -o allow_other,default_permissions -o ssh_command=&amp;quot;ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa&amp;quot; root@172.16.0.158:/vm /var/vm &amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
Vous avez maintenant accès au répertoire &amp;quot;/vm&amp;quot; de votre KVM&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
- importer le disque de l'ancienne VM dans la nouvelle (durée estimée : 13 min pour 100G):&lt;br /&gt;
 &lt;br /&gt;
 &amp;lt;pre&amp;gt;qm importdisk 111 /var/vm/vm_proxy.qcow2 stockage_vm_raid_10 --format qcow2 &amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
- Attendre la fin de l'importation... &lt;br /&gt;
&lt;br /&gt;
- Le disque apparait sur l'onglet Matériel de la VM sur l'interface web du Proxmox&lt;br /&gt;
&lt;br /&gt;
- Ajouter le disque sur la VM via l'interface ( double clic et ajouter )&lt;br /&gt;
&lt;br /&gt;
- Editer la carte réseau et décocher &amp;quot;Déconnecter&amp;quot;&lt;br /&gt;
&lt;br /&gt;
- Vérifier l'ordre de démarrage de la vm dans l'onglet &amp;quot;Options&amp;quot;&lt;br /&gt;
&lt;br /&gt;
- Démarrer la VM et tester ...&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''5 - Documenter :'''&lt;br /&gt;
&lt;br /&gt;
- Mettre à jour fiche EP de la VM ( ID Parent )&lt;br /&gt;
&lt;br /&gt;
- Mettre à jour le fichier des spécifications client.&lt;br /&gt;
&lt;br /&gt;
 &lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;/div&gt;</description>
			<pubDate>Wed, 02 Sep 2020 15:24:23 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Migration-KVM-Proxmox</comments>		</item>
		<item>
			<title>ProxmoxV6 Debian 10</title>
			<link>https://wiki.hegyd.com/index.php/ProxmoxV6_Debian_10</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;/* ATTENTION Specificité network pour les Proxmox sur SCALE ( OVH ) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Proxmox V6 / Debian 10 ( Buster ) ==&lt;br /&gt;
&lt;br /&gt;
( doc install Proxmox sur manager OVH à faire )&lt;br /&gt;
&lt;br /&gt;
* Si on arrive ici après l'installation d'un Proxmox OVH, l'accès ROOT est ouvert ( envoyé par mail ) :&lt;br /&gt;
&lt;br /&gt;
* Modification du mot de passe root si nécessaire, et selon la règle de nommage usuelle.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
passwd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer les paquets de base :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt update &amp;amp;&amp;amp; apt upgrade -y&lt;br /&gt;
apt -y install bash-completion ntp sudo htop telnet sysstat subversion git less vim-nox cscope exuberant-ctags&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer les locales :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo -n &amp;gt; /etc/environment&lt;br /&gt;
echo -n &amp;gt; /etc/default/locale&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer debconf :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install dialog &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/priority        select high&amp;quot; | debconf-set-selections &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/frontend        select Dialog&amp;quot; | debconf-set-selections&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Définir vim comme éditeur par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
update-alternatives --set editor /usr/bin/vim.nox&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer l'environnement utilisateur&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '32,38s/^#//' /etc/bash.bashrc&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/bash.bashrc &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
export LS_OPTIONS='--color=auto'&lt;br /&gt;
eval &amp;quot;\`dircolors\`&amp;quot;&lt;br /&gt;
alias ls='ls \$LS_OPTIONS'&lt;br /&gt;
alias ll='ls \$LS_OPTIONS -l'&lt;br /&gt;
alias grep='grep --color=auto'&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Modifier le shell par défaut des utilisateurs en éditant la lignes suivante du fichier &amp;quot;/etc/default/useradd&amp;quot; :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^SHELL=\/bin\/sh/SHELL=\/bin\/bash/' /etc/default/useradd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Gestion du Umask&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^UMASK\s\+022/UMASK    002/' /etc/login.defs&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session-noninteractive&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Création des groupes par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
userdel -r user1 #user créé pendant l'installation&lt;br /&gt;
groupadd -g 1000 dev&lt;br /&gt;
groupadd -g 1001 grsec&lt;br /&gt;
groupadd -g 1002 fwadmin&lt;br /&gt;
groupadd -g 1003 adm-projects&lt;br /&gt;
groupadd -g 1004 wheel&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter les utilisateurs opérateurs&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /root/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&amp;quot; &amp;gt;&amp;gt; /root/.ssh/authorized_keys&lt;br /&gt;
chmod 700 /root/.ssh&lt;br /&gt;
chmod 600 /root/.ssh/authorized_keys&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1020 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash mike&lt;br /&gt;
mkdir /home/mike/.ssh&lt;br /&gt;
chmod 700 /home/mike/.ssh&lt;br /&gt;
echo &amp;quot;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrFOIGcDPe+LfoPc11vtv2EOVG63zBndLVnf48mC+krw2vXomDLXG+KnhIAx1yFhCh6B/8R9C3wMxwhghemE3succS+Q7Truu2pd7zDmDNn6cd8Iw02qe8dl3nZhVk5XtGMgeV3JRA7u8q32i4tadbONRICExjcm9pVL5wx5aLzNBtu1opyMdvHc0dBelghVa9kkg6bRri8AF38M16NTEqQNA7crwHHa9ZLBE+8xFWmkJdBJ7zRoR6XEwbOr020VEM+sKzCPl0sy606aW3bi59tYobqAGBjTglIOJWXKMxu1cPJnSCx6Xom9F6AeF1C4CghVrZpfu++XSmJQtXoId m.reault@hegyd.com&amp;quot; &amp;gt; /home/mike/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/mike/.ssh/authorized_keys&lt;br /&gt;
chown -R mike:mike /home/mike/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1021 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p paCtx8rsjkGhQ admin&lt;br /&gt;
mkdir /home/admin/.ssh&lt;br /&gt;
chmod 700 /home/admin/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&lt;br /&gt;
&amp;quot; &amp;gt; /home/admin/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/admin/.ssh/authorized_keys&lt;br /&gt;
chown -R admin:admin /home/admin/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1022 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p pa2TnhUhhBRfU support&lt;br /&gt;
mkdir /home/support/.ssh&lt;br /&gt;
chmod 700 /home/support/.ssh&lt;br /&gt;
touch /home/support/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/support/.ssh/authorized_keys&lt;br /&gt;
chown -R support:support /home/support/.ssh&lt;br /&gt;
&lt;br /&gt;
chmod 750 /home/*&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*  Configurer openssh-server&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo &amp;quot;alias root=\&amp;quot;ssh -AX root@localhost\&amp;quot;&amp;quot; &amp;gt;&amp;gt;/home/admin/.bashrc&lt;br /&gt;
sed -i 's/^PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/ssh/sshd_config &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
UseDns no&lt;br /&gt;
AllowUsers root mike admin support&lt;br /&gt;
EOF&lt;br /&gt;
service ssh reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer le serveur de mail local&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
debconf-set-selections &amp;lt;&amp;lt;EOF&lt;br /&gt;
postfix postfix/root_address    string&lt;br /&gt;
postfix postfix/rfc1035_violation       boolean false&lt;br /&gt;
postfix postfix/mydomain_warning        boolean&lt;br /&gt;
postfix postfix/mynetworks      string  127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128&lt;br /&gt;
postfix postfix/mailname        string  $(hostname -f)&lt;br /&gt;
postfix postfix/tlsmgr_upgrade_warning  boolean&lt;br /&gt;
postfix postfix/recipient_delim string  +&lt;br /&gt;
postfix postfix/main_mailer_type        select  Internet Site&lt;br /&gt;
postfix postfix/destinations    string  $(hostname -f), localhost.$(hostname -f | sed -e 's/^[^.]\+\.\(.*\)$/\1/'), localhost&lt;br /&gt;
postfix postfix/retry_upgrade_warning   boolean&lt;br /&gt;
# Faut-il installer postfix malgré l'incompatibilité du noyau ?&lt;br /&gt;
postfix postfix/kernel_version_warning  boolean&lt;br /&gt;
postfix postfix/not_configured  error&lt;br /&gt;
postfix postfix/mailbox_limit   string  0&lt;br /&gt;
postfix postfix/relayhost       string&lt;br /&gt;
postfix postfix/procmail        boolean false&lt;br /&gt;
postfix postfix/bad_recipient_delimiter error&lt;br /&gt;
postfix postfix/protocols       select  ipv4&lt;br /&gt;
postfix postfix/chattr  boolean false&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
NB : les erreurs sur le ligne 13 et 17 sont normales.&lt;br /&gt;
&lt;br /&gt;
heirloom-mailx est déprécié mais présent dans le paquet s-nail&lt;br /&gt;
&lt;br /&gt;
apt-get -y install postfix s-nail&lt;br /&gt;
&lt;br /&gt;
sed -i -e '/^\/var\/log\/mail.log$/d' -e '/\/var\/log\/mail.info/i \&lt;br /&gt;
/var/log/mail.log\&lt;br /&gt;
{\&lt;br /&gt;
    rotate 4\&lt;br /&gt;
    weekly\&lt;br /&gt;
    missingok\&lt;br /&gt;
    notifempty\&lt;br /&gt;
    compress\&lt;br /&gt;
    delaycompress\&lt;br /&gt;
    create 640 root dev\&lt;br /&gt;
    sharedscripts\&lt;br /&gt;
    postrotate\&lt;br /&gt;
        invoke-rc.d rsyslog rotate &amp;gt; /dev/null\&lt;br /&gt;
    endscript\&lt;br /&gt;
}' /etc/logrotate.d/rsyslog&lt;br /&gt;
&lt;br /&gt;
chgrp dev /var/log/mail.log&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/aliases &amp;lt;&amp;lt;EOF&lt;br /&gt;
root: tech@hegyd.com&lt;br /&gt;
mike: m.reault@netprestation.com&lt;br /&gt;
EOF&lt;br /&gt;
newaliases&lt;br /&gt;
service postfix reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cloner le depot sys-common&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Au préalable, pour autoriser le git, se connecter sur srv-admin ( bastion ) et faire :&lt;br /&gt;
&lt;br /&gt;
eval $(ssh-agent)&lt;br /&gt;
ssh-add&lt;br /&gt;
ssh root@nouvelle_vm &lt;br /&gt;
ou ssh nouvelle_vm puis su - root&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /usr/local/share/hegyd&lt;br /&gt;
echo -e &amp;quot;Host git.hegyd.net\n\tStrictHostKeyChecking no\n&amp;quot; &amp;gt;&amp;gt; ~/.ssh/config&lt;br /&gt;
git clone -q git@git.hegyd.net:sys-common /usr/local/share/hegyd/sys-common&lt;br /&gt;
chmod -R g+rw /usr/local/share/hegyd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter une version prédéfinie de VimRC&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ln -s /usr/local/share/hegyd/sys-common/vim/vimrc_hegyd /etc/vim/vimrc.local&lt;br /&gt;
sed -i '78,80s/^/&amp;quot;/' /usr/share/vim/vim81/defaults.vim&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter le script d'alerte des reboot&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;lt;&amp;lt;EOF &amp;gt;/etc/rc.local&lt;br /&gt;
#!/bin/sh -e&lt;br /&gt;
#&lt;br /&gt;
# rc.local&lt;br /&gt;
#&lt;br /&gt;
# This script is executed at the end of each multiuser runlevel.&lt;br /&gt;
# Make sure that the script will &amp;quot;exit 0&amp;quot; on success or any other&lt;br /&gt;
# value on error.&lt;br /&gt;
#&lt;br /&gt;
# In order to enable or disable this script just change the execution&lt;br /&gt;
# bits.&lt;br /&gt;
#&lt;br /&gt;
# By default this script does nothing.&lt;br /&gt;
&lt;br /&gt;
exit 0&lt;br /&gt;
EOF&lt;br /&gt;
chmod +x /etc/rc.local&lt;br /&gt;
systemctl start rc-local&lt;br /&gt;
systemctl status rc-local&lt;br /&gt;
sed -i '/^exit 0/i\/usr\/local\/share\/hegyd\/sys-common\/bin\/alert-reboot' /etc/rc.local&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Pare feu ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt install iptables&lt;br /&gt;
update-alternatives --set iptables /usr/sbin/iptables-legacy&lt;br /&gt;
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configurer le système&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /etc/firewall&lt;br /&gt;
chgrp fwadmin /etc/firewall&lt;br /&gt;
chmod 2770 /etc/firewall&lt;br /&gt;
sed  -i -e '/^Defaults\s\+env_reset\s*$/aDefaults:%fwadmin   !lecture , passwd_timeout=1 , timestamp_timeout=1' -e &amp;quot;/^root\s\+ALL=(ALL:ALL)\s\+ALL\s*$/a%fwadmin  ALL = NOPASSWD: /etc/firewall/$(hostname -f).fw , /usr/bin/pkill&amp;quot; /etc/sudoers&lt;br /&gt;
sed -i &amp;quot;/^exit 0/i\/etc\/firewall\/$(hostname -f).fw&amp;quot; /etc/rc.local&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Créer et déployer le par feu&lt;br /&gt;
'''Créer le firewall sur firewall-builder puis le déployer'''&lt;br /&gt;
* Ajouter les vm dans le groupe &amp;quot;Virtual Machine&amp;quot; de firewall builder&lt;br /&gt;
* Ajouter les serveurs dans le groupe &amp;quot;Servers Applicatifs&amp;quot; de firewall builder&lt;br /&gt;
&lt;br /&gt;
== Serveur de cache DNS local ==&lt;br /&gt;
* Suivre la procédure [[Bind]]&lt;br /&gt;
&lt;br /&gt;
== Monitoring / Supervision ==&lt;br /&gt;
* Installer et configurer [[Snmp]]&lt;br /&gt;
* Installer et configurer le client [[Nagios#Installation_du_client_sur_Debian |NRPE pour Debian]]&lt;br /&gt;
&lt;br /&gt;
== Sauvegarde ==&lt;br /&gt;
* à déterminer pour les serveur Proxmox : rsnapshot ou sauvegarde sur les vm ? proxmox intègre ses propres sauvegardes.&lt;br /&gt;
&lt;br /&gt;
== Comptes utilisateurs ==&lt;br /&gt;
* Créer les comptes utilisateurs pour les accès du client (voir clés SSH publiques sur serveur Penta)&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;br /&gt;
&lt;br /&gt;
== ATTENTION Specificité network pour les Proxmox sur SCALE ( OVH ) ==&lt;br /&gt;
&lt;br /&gt;
Pour info, problème rencontré avec les interfaces réseau du serveur de type SCALE chez OVH ( 2 carte rzo publiques et 2 cartes rzo privées ).&lt;br /&gt;
Obligé de faire 2 &amp;quot;bonds&amp;quot; et &amp;quot;un bridge&amp;quot; sur le bond de l'IP vrack.&lt;br /&gt;
&lt;br /&gt;
ci-dessous configuration réseau fonctionnelle :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
root@vapps11:~# cat /etc/network/interfaces&lt;br /&gt;
# network interface settings; autogenerated&lt;br /&gt;
# Please do NOT modify this file directly, unless you know what&lt;br /&gt;
# you're doing.&lt;br /&gt;
#&lt;br /&gt;
# If you want to manage parts of the network configuration manually,&lt;br /&gt;
# please utilize the 'source' or 'source-directory' directives to do&lt;br /&gt;
# so.&lt;br /&gt;
# PVE will preserve these directives, but will NOT read its network&lt;br /&gt;
# configuration from sourced files, so do not attempt to move any of&lt;br /&gt;
# the PVE managed interfaces into external files!&lt;br /&gt;
&lt;br /&gt;
auto lo&lt;br /&gt;
iface lo inet loopback&lt;br /&gt;
&lt;br /&gt;
# interface publique 1&lt;br /&gt;
auto ens3f0&lt;br /&gt;
iface ens3f0 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface publique 2&lt;br /&gt;
auto ens3f1&lt;br /&gt;
iface ens3f1 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface privée 1&lt;br /&gt;
auto ens13f0&lt;br /&gt;
iface ens13f0 inet manual&lt;br /&gt;
&lt;br /&gt;
# interface privée 2&lt;br /&gt;
auto ens13f1&lt;br /&gt;
iface ens13f1 inet manual&lt;br /&gt;
&lt;br /&gt;
auto bond0&lt;br /&gt;
iface bond0 inet static&lt;br /&gt;
address 141.94.202.138/24&lt;br /&gt;
gateway 141.94.202.254&lt;br /&gt;
bond-slaves ens3f0 ens3f1&lt;br /&gt;
bond-miimon 100&lt;br /&gt;
bond-mode 802.3ad&lt;br /&gt;
post-up echo 1 &amp;gt; /proc/sys/net/ipv4/conf/bond0/proxy_arp&lt;br /&gt;
post-up echo 1 &amp;gt; /proc/sys/net/ipv4/ip_forward&lt;br /&gt;
&lt;br /&gt;
# Agrégat LACP sur les interfaces privées&lt;br /&gt;
auto bond1&lt;br /&gt;
iface bond1 inet dhcp&lt;br /&gt;
bond-slaves ens13f0 ens13f1&lt;br /&gt;
bond-miimon 100&lt;br /&gt;
bond-mode 802.3ad&lt;br /&gt;
&lt;br /&gt;
# Private&lt;br /&gt;
auto vmbr1&lt;br /&gt;
## Bridge raccordé sur l'agrégat bond1&lt;br /&gt;
iface vmbr1 inet static&lt;br /&gt;
address 172.16.0.167/12&lt;br /&gt;
netmask 255.240.0.0&lt;br /&gt;
bridge-ports bond1&lt;br /&gt;
bridge-stp off&lt;br /&gt;
bridge-fd 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
** voir doc https://docs.ovh.com/fr/dedicated/proxmox-network-hg-scale/ **&lt;br /&gt;
&lt;br /&gt;
==&lt;/div&gt;</description>
			<pubDate>Mon, 31 Aug 2020 14:50:27 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:ProxmoxV6_Debian_10</comments>		</item>
		<item>
			<title>LetsEncrypt</title>
			<link>https://wiki.hegyd.com/index.php/LetsEncrypt</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;/* Installation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
== Installation d’un certificat LetsEncrypt avec renouvellement automatique pour un NDD : ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* Ticket : https://v2.produhost.net/panel/15744/support/ticket/205183&lt;br /&gt;
&lt;br /&gt;
''''Sur le serveur intrastore.hegyd.net''&lt;br /&gt;
''Générer un certificat SSL pour candidats.raisonhome.com par Let's Encrypt avec renouvellement automatique.''&lt;br /&gt;
''Redirection auto port 80 vers 443''&lt;br /&gt;
''...''''&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''L'utilisation de certbot-auto est recommandé car les versions du &amp;quot;acme-challenge&amp;quot; du certbot de la distribution ( dépôts backports ) ne sont plus supportées.'''&lt;br /&gt;
&lt;br /&gt;
== Installation ==&lt;br /&gt;
&lt;br /&gt;
* Récupération de l’os et de sa version sur intrastore.hegyd.net&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#cat /etc/debian_version&lt;br /&gt;
8.11&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
ici Debian / Jessie&lt;br /&gt;
&lt;br /&gt;
* Se connecter sur https://certbot.eff.org/ et choisir sa config OS / Serveur : &lt;br /&gt;
&lt;br /&gt;
https://certbot.eff.org/lets-encrypt/debianjessie-apache&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* Se connecter en root, sur intrastore.hegyd.net:&lt;br /&gt;
&lt;br /&gt;
* Vérifier si l’ancien certbot n’est pas installé  : &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt remove certbot&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
puis :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wget https://dl.eff.org/certbot-auto&lt;br /&gt;
mv certbot-auto /usr/local/bin/certbot-auto&lt;br /&gt;
chown root /usr/local/bin/certbot-auto&lt;br /&gt;
chmod 0755 /usr/local/bin/certbot-auto&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
* Installer les dépendances, python et générer les certificats :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt; &lt;br /&gt;
/usr/local/bin/certbot-auto –apache&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
* En cas d’erreur, faire les modifications nécessaire et relancer la commande.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt; &lt;br /&gt;
/usr/local/bin/certbot-auto –apache&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
* Ensuite on teste le certificat :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt; &lt;br /&gt;
certbot-auto certonly --webroot -w /var/projects/cloud/prod/raison-home -d candidats.raisonhome.com -m tech@hegyd.net –dry-run&lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
* si c’est ok on enleve le « --dry-run »&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt; &lt;br /&gt;
certbot-auto certonly --webroot -w /var/projects/cloud/prod/raison-home -d candidats.raisonhome.com -m tech@hegyd.net &lt;br /&gt;
&amp;lt;/pre&amp;gt; &lt;br /&gt;
&lt;br /&gt;
* Le certificat va être généré dans /etc/letsencrypt/live/candidats.raisonhome.com qui contient les fichiers pour le certificat à configurer dans le vhost Apache :&lt;br /&gt;
&lt;br /&gt;
cert.pem  chain.pem  fullchain.pem  privkey.pem&lt;br /&gt;
&lt;br /&gt;
* modifier la conf du vhost dans /etc/apache2/sites-enabled/intrastore.conf:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# PROD candidats.raisonhome.com&lt;br /&gt;
&amp;lt;Virtualhost *:80&amp;gt;&lt;br /&gt;
        ServerName candidats.raisonhome.com &lt;br /&gt;
        ServerAlias *.candidats.raisonhome.com&lt;br /&gt;
        VirtualDocumentRoot /var/projects/cloud/prod/raison-home&lt;br /&gt;
        &amp;lt;Directory &amp;quot;/var/projects/cloud/prod/raison-home&amp;quot;&amp;gt;&lt;br /&gt;
                Options Indexes FollowSymlinks MultiViews&lt;br /&gt;
                AllowOverride All&lt;br /&gt;
                Require all granted&lt;br /&gt;
        &amp;lt;/Directory&amp;gt;&lt;br /&gt;
       RewriteEngine On&lt;br /&gt;
       RewriteCond %{HTTPS} off&lt;br /&gt;
       RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}&lt;br /&gt;
&amp;lt;/Virtualhost&amp;gt;&lt;br /&gt;
&amp;lt;Virtualhost *:443&amp;gt;&lt;br /&gt;
        ServerName candidats.raisonhome.com &lt;br /&gt;
        ServerAlias *.candidats.raisonhome.com&lt;br /&gt;
        VirtualDocumentRoot /var/projects/cloud/prod/raison-home&lt;br /&gt;
        &amp;lt;Directory &amp;quot;/var/projects/cloud/prod/raison-home&amp;quot;&amp;gt;&lt;br /&gt;
                Options Indexes FollowSymlinks MultiViews&lt;br /&gt;
                AllowOverride All&lt;br /&gt;
                Require all granted&lt;br /&gt;
        &amp;lt;/Directory&amp;gt;&lt;br /&gt;
        SSLEngine On&lt;br /&gt;
        SSLCertificateFile /etc/letsencrypt/live/candidats.raisonhome.com/cert.pem&lt;br /&gt;
        SSLCertificateKeyFile /etc/letsencrypt/live/candidats.raisonhome.com/privkey.pem&lt;br /&gt;
        SSLCertificateChainFile /etc/letsencrypt/live/candidats.raisonhome.com/chain.pem&lt;br /&gt;
&amp;lt;/Virtualhost&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Vérifier la configuration et recharger apache :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apachectl -t&lt;br /&gt;
service apache2 reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Vérifier le site, la redirection et le certificat :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://candidats.raisonhome.com&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== installation du cron de renouvellement ( renew ) ==&lt;br /&gt;
&lt;br /&gt;
* Ensuite mettre le cron de renouvellement dans la crontab :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo &amp;quot;0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' &amp;amp;&amp;amp; /usr/local/bin/certbot-auto renew -q&amp;quot; | sudo tee -a /etc/crontab &amp;gt; /dev/null&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* ce qui donne pour etc/crontab&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' &amp;amp;&amp;amp; /usr/local/bin/certbot-auto renew -q&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Recharger le service cron&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
service cron reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Et voila, reste à surveiller le cron pour valider le bon renouvellement automatique.&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;/div&gt;</description>
			<pubDate>Fri, 29 May 2020 13:01:53 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:LetsEncrypt</comments>		</item>
		<item>
			<title>Deprovisionner VM</title>
			<link>https://wiki.hegyd.com/index.php/Deprovisionner_VM</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;/* Couper les sauvegardes ( Bacula ) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Dé-provisionner une VM =&lt;br /&gt;
&lt;br /&gt;
== Contexte ==&lt;br /&gt;
&lt;br /&gt;
* ticket : https://v2.produhost.net/panel/15746/support/ticket/200296&lt;br /&gt;
&lt;br /&gt;
'' Nous avons mis fin à la liaison entre nos applications et le service Piwik donc vous pouvez maintenant éteindre la machine apply.viaduc.fr''&lt;br /&gt;
&lt;br /&gt;
* Identification &lt;br /&gt;
&lt;br /&gt;
VM : apply.viaduc.fr / 178.33.76.36 &lt;br /&gt;
&lt;br /&gt;
DPS : vapps1.viaduc.fr / 37.187.69.161&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Couper la supervision ( Nagios ) ==&lt;br /&gt;
&lt;br /&gt;
* Se connecter au serveur Nagios Hegyd 195.114.26.250 :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cd /opt/ns_core/nagios-core/etc/objects/HEGYD&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Faire une copie des fichiers de configuration à la date du jour :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cp hegyd_hosts.cfg hegyd_hosts.cfg.SAV20200504&lt;br /&gt;
cp hegyd_services.cfg hegyd_services.cfg.SAV20200504&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Supprimer dans les 2 fichiers '''hegyd_hosts.cfg''' et '''hegyd_services.cfg''' tout ce qui à rapport à apply.viaduc.fr&lt;br /&gt;
* Vérifier la conf Nagios et si OK rédémarrer :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/check_nagios.sh&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
ou&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/opt/ns_core/nagios-core/bin/nagios -v /opt/ns_core/nagios-core/etc/nagios.cfg &lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
puis&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
service nagios reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Couper les sauvegardes ( Bacula ) ==&lt;br /&gt;
&lt;br /&gt;
* se connecter sur le serveur de backup backup2.viaduc.fr &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cd /etc/bacula/clientdefs.d&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Editer le fichier fd de la vm : ici apply.viaduc.fr-fd.conf et commenter les jobs System et Logs&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vi apply.viaduc.fr-fd.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#Job {&lt;br /&gt;
#  Name = &amp;quot;Apply System Backup&amp;quot;&lt;br /&gt;
#  JobDefs = &amp;quot;Default Server Backup&amp;quot;&lt;br /&gt;
#  Client = apply.viaduc.fr-fd&lt;br /&gt;
#  Storage = apply.viaduc.fr-sd&lt;br /&gt;
#}&lt;br /&gt;
#&lt;br /&gt;
#Job {&lt;br /&gt;
#  Name = &amp;quot;Apply Logs Backup&amp;quot;&lt;br /&gt;
#  JobDefs = &amp;quot;Default Logs Server Backup&amp;quot;&lt;br /&gt;
#  Client = apply.viaduc.fr-fd&lt;br /&gt;
#  Storage = apply.viaduc.fr-sd&lt;br /&gt;
#}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;/div&gt;</description>
			<pubDate>Mon, 04 May 2020 13:05:55 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Deprovisionner_VM</comments>		</item>
		<item>
			<title>Systeme d'exploitation Debian 10</title>
			<link>https://wiki.hegyd.com/index.php/Systeme_d%27exploitation_Debian_10</link>
			<description>&lt;p&gt;Pentasonic&amp;nbsp;:&amp;#32;/* Installation paquets clients */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Debian 10 ( Buster ) ==&lt;br /&gt;
&lt;br /&gt;
* Si on arrive ici après l'installation d'une VM KVM, il faut d'abord se connecter depuis la console virt-manager en root, puis :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config&lt;br /&gt;
service ssh reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On peut alors se connecter maintenant depuis Putty/MRemote via le compte root et le mot de passe saisi lors de l'installation.&lt;br /&gt;
&lt;br /&gt;
* Modification du mot de passe root si nécessaire, et selon la règle de nommage usuelle.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
passwd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
* Installer les paquets de base :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Configuration APT pour remonter /tmp avec le flag exec (nécessaire pour certains paquets)&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/apt/apt.conf &amp;lt;&amp;lt;EOF&lt;br /&gt;
DPkg::Pre-Invoke{&amp;quot;mount -o remount,exec /tmp&amp;quot;;};&lt;br /&gt;
DPkg::Post-Invoke {&amp;quot;mount -o remount /tmp&amp;quot;;};&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
apt-get update &amp;amp;&amp;amp; apt-get -y upgrade&lt;br /&gt;
apt-get -y install bash-completion ntp sudo htop telnet sysstat subversion git less vim-nox cscope exuberant-ctags&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
NB : si l'apt-get essaie de passer en ipv6 et que cela ne fonctionne pas, il faut modifier la ligne 54 du fichier /etc/gai.conf de la façon suivante :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
precedence ::ffff:0:0/96  100&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer les locales :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo -n &amp;gt; /etc/environment&lt;br /&gt;
echo -n &amp;gt; /etc/default/locale&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer debconf :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install dialog &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/priority        select high&amp;quot; | debconf-set-selections &amp;amp;&amp;amp;&lt;br /&gt;
echo &amp;quot;debconf debconf/frontend        select Dialog&amp;quot; | debconf-set-selections&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Définir vim comme éditeur par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;update-alternatives --set editor /usr/bin/vim.nox&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Paramétrer l'environnement utilisateur&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '32,38s/^#//' /etc/bash.bashrc&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/bash.bashrc &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
export LS_OPTIONS='--color=auto'&lt;br /&gt;
eval &amp;quot;\`dircolors\`&amp;quot;&lt;br /&gt;
alias ls='ls \$LS_OPTIONS'&lt;br /&gt;
alias ll='ls \$LS_OPTIONS -l'&lt;br /&gt;
alias grep='grep --color=auto'&lt;br /&gt;
EOF&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Modifier le shell par défaut des utilisateurs en éditant la lignes suivante du fichier &amp;quot;/etc/default/useradd&amp;quot; :&lt;br /&gt;
&amp;lt;pre&amp;gt;sed -i 's/^SHELL=\/bin\/sh/SHELL=\/bin\/bash/' /etc/default/useradd&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Gestion du Umask&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i 's/^UMASK\s\+022/UMASK    002/' /etc/login.defs&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session&lt;br /&gt;
echo &amp;quot;session optional pam_umask.so&amp;quot; &amp;gt;&amp;gt; /etc/pam.d/common-session-noninteractive&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Création des groupes par défaut&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
userdel -r user1 #user créé pendant l'installation&lt;br /&gt;
groupadd -g 1000 dev&lt;br /&gt;
groupadd -g 1001 grsec&lt;br /&gt;
groupadd -g 1002 fwadmin&lt;br /&gt;
groupadd -g 1003 adm-projects&lt;br /&gt;
groupadd -g 1004 wheel&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter les utilisateurs opérateurs&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /root/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&amp;quot; &amp;gt;&amp;gt; /root/.ssh/authorized_keys&lt;br /&gt;
chmod 700 /root/.ssh&lt;br /&gt;
chmod 600 /root/.ssh/authorized_keys&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1020 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash mike&lt;br /&gt;
mkdir /home/mike/.ssh&lt;br /&gt;
chmod 700 /home/mike/.ssh&lt;br /&gt;
echo &amp;quot;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrFOIGcDPe+LfoPc11vtv2EOVG63zBndLVnf48mC+krw2vXomDLXG+KnhIAx1yFhCh6B/8R9C3wMxwhghemE3succS+Q7Truu2pd7zDmDNn6cd8Iw02qe8dl3nZhVk5XtGMgeV3JRA7u8q32i4tadbONRICExjcm9pVL5wx5aLzNBtu1opyMdvHc0dBelghVa9kkg6bRri8AF38M16NTEqQNA7crwHHa9ZLBE+8xFWmkJdBJ7zRoR6XEwbOr020VEM+sKzCPl0sy606aW3bi59tYobqAGBjTglIOJWXKMxu1cPJnSCx6Xom9F6AeF1C4CghVrZpfu++XSmJQtXoId m.reault@hegyd.com&amp;quot; &amp;gt; /home/mike/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/mike/.ssh/authorized_keys&lt;br /&gt;
chown -R mike:mike /home/mike/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1021 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p paCtx8rsjkGhQ admin&lt;br /&gt;
mkdir /home/admin/.ssh&lt;br /&gt;
chmod 700 /home/admin/.ssh&lt;br /&gt;
echo &amp;quot;ssh-dss AAAAB3NzaC1kc3MAAACBAM0TYqkYRN8FKBSRwAwgeUcoyjkW3Bw07QqGfJcNA90b6/id0riHYd6WJBCeQKsUqT+CxIPAhUA9dVqON9kfO8LtBPllMwqoTWtUth2tqRV35c8ANqv3x/RoPGZlOIiRplH6+uUuVElOBRIKmhzwBUVnVG5Ri6P06pjrc1D9emN5AAAAFQDiPCxtR+Pq1yDeg483IEdyWoepeQAAAIBE9RS1C/fR83HUzO3f1mmBgL8ipKx8+lFBcsEU9odOZuWsXkIdZAIjrgpzAzTEGD+4bWUiXhS0kwQqDp9bSBliw2atEXrTsgbHOV/gLFPAwoyv3IpSuFRMIwGYXQc6PJcZaAhtJ9FNEcCcvkuMC23eeO8XnV0Fl+3m25QIo9+SCgAAAIBB3EAkSlZqj5igXarzP5YaBDOwPSnasBHcxymtLuQwrjEqR/qa9qcGBSBOKMDfgB9IlLei9Ug668Q0WXEy8/ovV2P+tx6juETi0l2yt3Nm1S6IIYHbXR5BkMM4CAV6U2bR3yCg+sx4encqCJOAIf+xlZzzFJBMbgTQhpJXIfcwOw== admin@backup.hegyd.com&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfcJ8J5YR6F7qrYLuVJ3YIqOXqNvj1OnYd0zybZ45X+IeFKePo2hL1NHALHWxys6Qo4Ta3pPcRkliQBy51IIXOtNVp90C4XqTNkwaAl6X4RnPPoGNVgq1V53BW/mkUYsvLoYTJHokb+a3exGHCYaPbuj09FV5VVdF2uGUIiRyMZzmZurLCzySagP+8e34ZrLDlwwmDtd24CVc0OyxikqFOzzOkvCWTaAttGv7qyAlwjyAAMTqlJhqPNaCQcOJVEGiwXNlXqjroRJz7j4a3vEd3xujfY3zeSu9U22iCgAJWiLRI+M7m7af4/yxTV8IYNvpOMTjqMnxOEAKsiCLmrwUJ MGA@HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpLz0aUxPDyO5cXPm8HQkaNAUjNNULrhH8G3Nvw7SdhAvRVL9/RKzXu5Aa4nSQd0u61bWVlGvDVSSZgZGRnoxsmzK1aOJWcgJmhVI1r6o9fVKSxz/x+1uE8PFJxUVaGULoLvDRzZLDazg/c/Djb5AgTprmw8KvMKdcDk/kCixFmjEObuOwFbnA/ZbnHS8PPUgHSCwLNAQOUSZSLRZzEFRKO4+HCl5T7iZfCGd7dCInysG2tVzBJCqsN7hw5fhz49Kb1txa93dYhY7kh7SYqCYthGToqGVcDNQX7cXCP2Sqpw+2N/SAcke6E/MgalYAr40dIRRFuUJKX8LxLoko47r admin@rescue&lt;br /&gt;
ssh-dss AAAAB3NzaC1kc3MAAACBAPoQ6wRywMMkQ0npdVnRdlIclapxF0n3kK7iljksiwfi5p8VzGgbF6KxYiroJaKu7Q3gf4EgPlTyWJ8TgCI/bji/bCTqdPfMjQpp621l6p244WSMQEWipExnCkI6oBTuEK1Hr/T435ygwscwl2vcGnXQcGA6K7p16LpsLHykKPKtAAAAFQC1B/WkyCWjVSubUZgMBNfCeE2DaQAAAIBLmHlw2IrhZEhuz1m3k1H+ssH1JiPTcN1I6Z+M/n3OTYrdMIBuPLEtr3P+SZrnmZVLlwIzWtlw2dtwv+5G0UpzgNKmUQf27o2sgrKnSap2FP3cqBbDuUrsaZLexVawCualQPxTcXqufanrwPPYht3rtM5J3VmkW/jqpATxXJnO5wAAAIB+u9M9bObM7YzB7CZ4jmr4wXAo2HocqvBygmSX4dj3qgsqJoJ7bOATCYVSps6kqVcvWvztZ58duC1gvomDB+56CAPkin3S52Wtq6J/Qz3q+SEJNqcZ5+qiGn9mORaTsEx+iaA4pNbRjuKMp7rmWJ1gQ4e/OxQwmJXpTARsZIkBOw== admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDSTvhJwZSkwprrGoTTCDXK4p4VtyGo9EBNckRimYpwUAIq5MV3coWwrfJR/5qH7gYgZdCtBkZR/Mq59Xoeug7Gs5saoVkM0AjjIWPIpx52tl6/mnMvb7XrHwgonxiP2UR5o6tzVJgIK5jO7K6ezaJMobbmorxTDr7zcRm3obON1s21+Wv2FXZBUsFxXL3QjoECgh9mCV7bIjVis6Wl/bPq/ufLwcIhSnnpAzes7kWrfpIU825wUizdyp3JL8clDt1ovdBll7HdnCxmpux/NQQAixNYZhS0G65xXa8Db6hb3XS9v0AZcx07xsP+bGrUMo++L+HPqLYVADTskiRST+Z admin@SRV-ADMIN-HEGYD&lt;br /&gt;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAHM3LBXe42KgEg9S23UO/PvL9EaYqECQDaRpQRJT7lkbcCNKTspRLVSHfWyyirykAME9fYcWhs6FJpE1/S/H2Pyre/0kUs9fZcaDyIuieow8lTu2dUYhZeMXmD0Uk4oUliaNxO3ATth116wdH/sp7Z46PofnNop2oAEhML7pJIN4/3v9BbUyzJNMQ1ZspPJh0e4P1dtNBVo/vIfByNWMgAVJW4w0Srcir13KsQG2FhWAZVhNBqUmVJnB6TwfcR27zQrxOIuk2R3g4eGHBZtckgA+KHEacPu9Sy7Hzp2Qz0kr+pylcpVbKv0Wl2Uyie7ekt/juiO8NdylBo4DD6+jWfESooLrfaXBLSzXDy2OWENxclmwKsj1CFFHNwyvBTooeNzMjHp1+lI4I0GDiF5ZdBA01hhEs9lsn6ZIkjj2WMaW5BVw7VtdsG4S3ZxTowviFStf7CTuHKLm2gPBBCXj4gkuXNOEta+fFBGBJDLPWfzWSOBcUEexL2CVeLI+xxtwqWjogsYLISydT1kAf/ucSmC7hIUab1UVwCHFxg8JQ1G/ne/XY3JwVSflHpVSWYAqerb9PF80nr+MSWuzq5BMmFboEUXFNVPWgfaJk29JqaIZFnyG1V85LHhX9yGSLpn1gXF3Yt/dtxIoKiE6wFy6W18bzw+6zABvcIvXz7hiWGNp enzo@dri&lt;br /&gt;
&amp;quot; &amp;gt; /home/admin/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/admin/.ssh/authorized_keys&lt;br /&gt;
chown -R admin:admin /home/admin/.ssh&lt;br /&gt;
&lt;br /&gt;
useradd -m -u 1022 -G fwadmin,dev,adm,staff,adm-projects,wheel -s /bin/bash -p pa2TnhUhhBRfU support&lt;br /&gt;
mkdir /home/support/.ssh&lt;br /&gt;
chmod 700 /home/support/.ssh&lt;br /&gt;
touch /home/support/.ssh/authorized_keys&lt;br /&gt;
chmod 600 /home/support/.ssh/authorized_keys&lt;br /&gt;
chown -R support:support /home/support/.ssh&lt;br /&gt;
&lt;br /&gt;
chmod 750 /home/*&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*  Configurer openssh-server&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo &amp;quot;alias root=\&amp;quot;ssh -AX root@localhost\&amp;quot;&amp;quot; &amp;gt;&amp;gt;/home/admin/.bashrc&lt;br /&gt;
sed -i 's/^PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/ssh/sshd_config &amp;lt;&amp;lt;EOF&lt;br /&gt;
&lt;br /&gt;
UseDns no&lt;br /&gt;
AllowUsers root mike admin support&lt;br /&gt;
EOF&lt;br /&gt;
service ssh reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Installer le serveur de mail local&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
debconf-set-selections &amp;lt;&amp;lt;EOF&lt;br /&gt;
postfix postfix/root_address    string&lt;br /&gt;
postfix postfix/rfc1035_violation       boolean false&lt;br /&gt;
postfix postfix/mydomain_warning        boolean&lt;br /&gt;
postfix postfix/mynetworks      string  127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128&lt;br /&gt;
postfix postfix/mailname        string  $(hostname -f)&lt;br /&gt;
postfix postfix/tlsmgr_upgrade_warning  boolean&lt;br /&gt;
postfix postfix/recipient_delim string  +&lt;br /&gt;
postfix postfix/main_mailer_type        select  Internet Site&lt;br /&gt;
postfix postfix/destinations    string  $(hostname -f), localhost.$(hostname -f | sed -e 's/^[^.]\+\.\(.*\)$/\1/'), localhost&lt;br /&gt;
postfix postfix/retry_upgrade_warning   boolean&lt;br /&gt;
# Faut-il installer postfix malgré l'incompatibilité du noyau ?&lt;br /&gt;
postfix postfix/kernel_version_warning  boolean&lt;br /&gt;
postfix postfix/not_configured  error&lt;br /&gt;
postfix postfix/mailbox_limit   string  0&lt;br /&gt;
postfix postfix/relayhost       string&lt;br /&gt;
postfix postfix/procmail        boolean false&lt;br /&gt;
postfix postfix/bad_recipient_delimiter error&lt;br /&gt;
postfix postfix/protocols       select  ipv4&lt;br /&gt;
postfix postfix/chattr  boolean false&lt;br /&gt;
EOF&lt;br /&gt;
&lt;br /&gt;
NB : les erreurs sur le ligne 13 et 17 sont normales.&lt;br /&gt;
&lt;br /&gt;
heirloom-mailx est déprécié mais présent dans le paquet s-nail&lt;br /&gt;
&lt;br /&gt;
apt-get -y install postfix s-nail&lt;br /&gt;
&lt;br /&gt;
sed -i -e '/^\/var\/log\/mail.log$/d' -e '/\/var\/log\/mail.info/i \&lt;br /&gt;
/var/log/mail.log\&lt;br /&gt;
{\&lt;br /&gt;
    rotate 4\&lt;br /&gt;
    weekly\&lt;br /&gt;
    missingok\&lt;br /&gt;
    notifempty\&lt;br /&gt;
    compress\&lt;br /&gt;
    delaycompress\&lt;br /&gt;
    create 640 root dev\&lt;br /&gt;
    sharedscripts\&lt;br /&gt;
    postrotate\&lt;br /&gt;
        invoke-rc.d rsyslog rotate &amp;gt; /dev/null\&lt;br /&gt;
    endscript\&lt;br /&gt;
}' /etc/logrotate.d/rsyslog&lt;br /&gt;
&lt;br /&gt;
chgrp dev /var/log/mail.log&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;gt;&amp;gt; /etc/aliases &amp;lt;&amp;lt;EOF&lt;br /&gt;
root: tech@hegyd.com&lt;br /&gt;
mike: m.reault@netprestation.com&lt;br /&gt;
EOF&lt;br /&gt;
newaliases&lt;br /&gt;
service postfix reload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Modifier les points de montage par défault en éditant le fichier &amp;quot;/etc/fstab&amp;quot; pour ajouter les options &amp;quot;noatime,barrier=0&amp;quot; à tout les montages ext4.&lt;br /&gt;
Exemple :&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/dev/mapper/vg_vm-root        /                 ext4    errors=remount-ro,relatime 0 1&lt;br /&gt;
UUID=6f7256e5-a5e3-4019-9f08-c582c20ffceb /boot ext2    defaults 0 2&lt;br /&gt;
/dev/mapper/vg_vm-home        /home             ext4    defaults,noatime,barrier=0 0 2&lt;br /&gt;
/dev/mapper/vg_algorel-tmp    /tmp              ext4    defaults,noatime,noexec,barrier=0 0 2&lt;br /&gt;
/dev/mapper/vg_algorel-var    /var              ext4    defaults,noatime 0 2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cloner le depot sys-common&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Au préalable, pour autoriser le git, se connecter sur srv-admin ( bastion ) et faire :&lt;br /&gt;
&lt;br /&gt;
eval $(ssh-agent)&lt;br /&gt;
ssh-add&lt;br /&gt;
ssh root@nouvelle_vm &lt;br /&gt;
ou ssh nouvelle_vm puis su - root&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /usr/local/share/hegyd&lt;br /&gt;
echo -e &amp;quot;Host git.hegyd.net\n\tStrictHostKeyChecking no\n&amp;quot; &amp;gt;&amp;gt; ~/.ssh/config&lt;br /&gt;
git clone -q git@git.hegyd.net:sys-common /usr/local/share/hegyd/sys-common&lt;br /&gt;
chmod -R g+rw /usr/local/share/hegyd&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter une version prédéfinie de VimRC&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ln -s /usr/local/share/hegyd/sys-common/vim/vimrc_hegyd /etc/vim/vimrc.local&lt;br /&gt;
sed -i '78,80s/^/&amp;quot;/' /usr/share/vim/vim81/defaults.vim&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Ajouter le script d'alerte des reboot&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat &amp;lt;&amp;lt;EOF &amp;gt;/etc/rc.local&lt;br /&gt;
#!/bin/sh -e&lt;br /&gt;
#&lt;br /&gt;
# rc.local&lt;br /&gt;
#&lt;br /&gt;
# This script is executed at the end of each multiuser runlevel.&lt;br /&gt;
# Make sure that the script will &amp;quot;exit 0&amp;quot; on success or any other&lt;br /&gt;
# value on error.&lt;br /&gt;
#&lt;br /&gt;
# In order to enable or disable this script just change the execution&lt;br /&gt;
# bits.&lt;br /&gt;
#&lt;br /&gt;
# By default this script does nothing.&lt;br /&gt;
&lt;br /&gt;
exit 0&lt;br /&gt;
EOF&lt;br /&gt;
chmod +x /etc/rc.local&lt;br /&gt;
systemctl start rc-local&lt;br /&gt;
systemctl status rc-local&lt;br /&gt;
sed -i '/^exit 0/i\/usr\/local\/share\/hegyd\/sys-common\/bin\/alert-reboot' /etc/rc.local&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== IP Vrack (pour les VMs) ==&lt;br /&gt;
* Si la VM doit avoir une IP VRACK, il faut la configurer après avoir chois une IP dans le fichier des IPs&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Ajouter dans /etc/network/interfaces, pour l'ip eth0&lt;br /&gt;
&lt;br /&gt;
        post-up /sbin/ifconfig eth0:1 172.16.0.145 netmask 255.240.0.0&lt;br /&gt;
        post-down /sbin/ifconfig eth0:1 down&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
NB : pour les hyperviseurs, voir après l'installation dans le wiki&amp;lt;br /&amp;gt;&lt;br /&gt;
* Pour les serveurs physiques, positionner l'adresse VRack sur l'interface eth1 ou eth3 (selon le serveur)&lt;br /&gt;
&lt;br /&gt;
== Pare feu ==&lt;br /&gt;
* Important : Suppression de ufw installé automatiquement avec Debian 10/Buster et qui bloque fwbuilder.&lt;br /&gt;
Référence : https://talk.lowendspirit.com/discussion/290/resolved-ufw-iptables-not-working-in-debian-10-minimal&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt install iptables&lt;br /&gt;
update-alternatives --set iptables /usr/sbin/iptables-legacy&lt;br /&gt;
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Configurer le système&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mkdir /etc/firewall&lt;br /&gt;
chgrp fwadmin /etc/firewall&lt;br /&gt;
chmod 2770 /etc/firewall&lt;br /&gt;
sed  -i -e '/^Defaults\s\+env_reset\s*$/aDefaults:%fwadmin   !lecture , passwd_timeout=1 , timestamp_timeout=1' -e &amp;quot;/^root\s\+ALL=(ALL:ALL)\s\+ALL\s*$/a%fwadmin  ALL = NOPASSWD: /etc/firewall/$(hostname -f).fw , /usr/bin/pkill&amp;quot; /etc/sudoers&lt;br /&gt;
sed -i &amp;quot;/^exit 0/i\/etc\/firewall\/$(hostname -f).fw&amp;quot; /etc/rc.local&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Créer et déployer le par feu&lt;br /&gt;
'''Créer le firewall sur firewall-builder puis le déployer'''&lt;br /&gt;
* Ajouter les vm dans le groupe &amp;quot;Virtual Machine&amp;quot; de firewall builder&lt;br /&gt;
* Ajouter les serveurs dans le groupe &amp;quot;Servers Applicatifs&amp;quot; de firewall builder&lt;br /&gt;
&lt;br /&gt;
== Installation paquets clients ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install mysql-client&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
ou ( dernier Buster )&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install default-mysql-client&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
Si le serveur MySQL doit être installé sur la machine :&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install mysql-server&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
ou&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get install default-mysql-server&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
=== UTF-8 client / serveur ===&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i -e '/\[client\]/{n;n;/$/a \&lt;br /&gt;
default-character-set = utf8&lt;br /&gt;
}' \&lt;br /&gt;
 -e '/\[mysqld\]/a \&lt;br /&gt;
character_set_server    = utf8\&lt;br /&gt;
collation_server        = utf8_general_ci' \&lt;br /&gt;
 -e '/\[mysql\]/a \&lt;br /&gt;
default-character-set = utf8' /etc/mysql/my.cnf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Tuning ==&lt;br /&gt;
&lt;br /&gt;
* Sur un serveur physique, si le RAID est hard, il n'y a pas besoin du service mdadm&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i -e 's/START_DAEMON=true/START_DAEMON=false/' -e 's/AUTOCHECK=true/AUTOCHECK=false/' /etc/default/mdadm&lt;br /&gt;
service mdadm restart&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* PLUS NECESSAIRE : Suppression des tty inutiles (2 suffisent)&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sed -i '56,59s/^/#/' /etc/inittab&lt;br /&gt;
kill -HUP 1&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Serveur de cache DNS local ==&lt;br /&gt;
* Suivre la procédure [[Bind]]&lt;br /&gt;
&lt;br /&gt;
== Monitoring / Supervision ==&lt;br /&gt;
* Installer et configurer [[Snmp]]&lt;br /&gt;
* Installer et configurer le client [[Nagios#Installation_du_client_sur_Debian |NRPE pour Debian]]&lt;br /&gt;
&lt;br /&gt;
== Sauvegarde ==&lt;br /&gt;
* Installer et configurer [[Bacula#Debian]]&lt;br /&gt;
&lt;br /&gt;
== Comptes utilisateurs ==&lt;br /&gt;
* Créer les comptes utilisateurs pour les accès du client (voir clés SSH publiques sur serveur Penta)&lt;br /&gt;
&lt;br /&gt;
[[Catégorie:Administration serveurs]]&lt;/div&gt;</description>
			<pubDate>Sat, 07 Mar 2020 18:22:36 GMT</pubDate>			<dc:creator>Pentasonic</dc:creator>			<comments>https://wiki.hegyd.com/index.php/Discussion:Systeme_d%27exploitation_Debian_10</comments>		</item>
	</channel>
</rss>