Share your "hooks" to apply custom configurations- Partagez vos "hooks" pour appliquer des configurations personnelles

It has never been clear to me what UsePam corresponds to … isn’t this related to being able to use LDAP users to log in ? What makes you say that “it is necessary to set it to no” ?

it’s not clear for me too. I don’t say “it is necessary” but it seems it is necessary. The UsePAM = yes setting allow PAM authentication login/password. If we want disable login/password authentication, UsePAM is not necessary and i don’t know if it is a problem to set it to yes, but i understand it is not a problem to set it to No. In the first case, i’m not sure if authentication by login/password is possible though LDAP for example as you say, in the second i’m sure it’s not possible.
PAM means Pluggable Anthentication modules, it can be Ldap.
I only follow the recommendations that i often read. But i’m not sure if i understand correctly why it is recommended.
Excuse me if i’m not clear, i have difficulty to write in english. But DeepL translator is my friend to write this :slightly_smiling_face:

Je pense ajouter la configuration suivante qui est surtout utilisé pour la supervision via Zabbix:
/etc/yunohost/hooks.d/conf_regen/17-nginx_status

#!/bin/bash

action=$1
pending_dir=$4
nginx_dir=$pending_dir/../nginx/etc/nginx
nginx_status_conf=$nginx_dir/conf.d/default.d/stubstatus.conf

[[ $action == "pre" ]] || exit 0
[[ -d $nginx_dir ]] || exit 0
[[ -e $nginx_status_conf ]] || exit 0
echo '
location = /basic_status {
  stub_status;
  allow 127.0.0.1;
  allow ::1;
  deny all;
}' > $nginx_status_conf

Par contre pour le moment la génération de la configuration ne fonctionne pas je ne sais pas trop pourquoi.

1 Like

Hello @ljf ,

Could you give me more explanations, please?
I not really understand how to use the arguments --key and --value.
In example, you can take my previous post to explain me how i can comment the line “include conf.d/yunohost_panel.conf.inc;” like i do with sed.

ynh_write_var_in_file is built to replace a variable, so in your case you still need to use sed.

Here an example if you want to change the variable foo in this file:
/root/testfile

bar = "plop"
foo = 42
bam = "bim"
ynh_write_var_in_file --file=/root/testfile --key=foo --value=43
1 Like

There is also a new setting to restrict the webadmin access:

yunohost settings set security.webadmin.allowlist -v <comma-separated list of IP addesses>
yunohost settings set security.webadmin.allowlist.enabled -v True

Thanks a lot for describing and sharing your hooks!

I didn’t know about hooks before and had already modified some system configuration files (and documented the modifications to be able to redo them after system updates).

Using hooks instead makes these custom configurations much easier.

3 Likes

Thanks a bunch for your script, I had no idea how to enable the stub status for nginx for YunoHost, you made my day :slight_smile:

Nice thread !

For those who want to manage SSH security : Config ssh : utilisation de AllowUsers ou AllowGroups? - #4 by Kit

The hook manages :

  • users in groups ssh.app and ssh.main
  • SSH port modification
  • allowance of using password or only keys
  • TLS compatibility (TLS 1.2 & 1.3 or 1.3 only)

Any improvement welcome :slight_smile:

1 Like

Is there some documentation outside this forum, to help users understand better ?

Here’s a nother hook for postfix: Customize additional config for postfix's main.cf - #3 by oberger

There is the setting smtp.allow_ipv6 in yunohost to enable or disable ipv6 for postfix:

yunohost settings set smtp.allow_ipv6 -v False

Well, I guess the setting I needed (smtp_address_preference = ipv4) introduces a subcase of what allow_ipv6 manages (inet_protocols = ipv4). I.e., we can still receive mail over ipv6 but will prefer ipv4 for sending, whereas inet_protocols is just switching off ipv6 AFAIU. Thanks anayway.

1 Like

Bonjour, j’ai tenté de créer un hook pour modifier les fichiers /etc/postfix/main.cf et /etc/postfix/master.cf afin de ralentir les envois vers certains serveurs comme orange.fr
Est-ce que ça vous semble correct?

#!/bin/bash

# Avant tout j ai créé un fichier /etc/postfix/transport listant les serveurs pour lesquels je veux ralentir l envoi:
# orange.fr slow;
# free.fr slow;
# domain.tld slow;

action=$1
pending_dir=$4
postfix_main_conf=$pending_dir/../postfix/etc/postfix/main.cf
postfix_master_conf=$pending_dir/../postfix/etc/postfix/master.cf

[[ "$action" == "pre" ]] || exit 0
[[ -e $postfix_main_conf ]] || exit 0
[[ -e $postfix_master_conf ]] || exit 0

echo '
transport_maps = hash:/etc/postfix/transport
slow_initial_destination_concurrency=1
slow_destination_concurrency_limit=1
slow_destination_rate_delay=5' >> $postfix_main_conf

echo '
slow    unix    -       -       n       -       5       smtp
   -o syslog_name=postfix-slow
   -o smtp_destination_concurrency_limit=1
   -o slow_destination_rate_delay=5' >> $postfix_master_conf

Salut @Poine
Je suis aussi la discussion sur le forum chatons… comment est configurer ton fichier /etc/postfix/transport/ ? avec les lignes commentée au début ?

orange.fr slow;
free.fr slow;
domain.tld slow;

Sur la doc du wiki c’était come cela, du coup j’ai un doute…

# Wanadoo / Orange
wanadoo.com wanadoo:
wanadoo.fr wanadoo:
wanadoo.es wanadoo:
orange.com orange:
orange.fr orange:

Salut,
ah oui je me suis trompé ci-dessus, dans mon fichier /etc/postfix/transport c’est bien des : à chaque fin de ligne, pas des point-virgules !

Ok, par contre c’est toujours avec slow à la fin, c’est bien ça ? Par exemple

# Wanadoo / Orange
wanadoo.com slow:
wanadoo.fr slow:
wanadoo.es slow:
orange.com slow:
orange.fr slow:
free.fr slow:

Oui si tu veux mettre la même règle pour tout le monde.
Sinon tu peux créer plusieurs règles comme ceci:

Dans /etc/postfix/transport

wanadoo.com slow:
wanadoo.fr slow:
orange.fr slow:
free.fr regle2:
yahoo.com regle2:

Dans /etc/postfix/master.cf

slow    unix    -       -       n       -       5       smtp
   -o syslog_name=postfix-slow
   -o smtp_destination_concurrency_limit=1
   -o slow_destination_rate_delay=5'
regle2  unix    -       -       n       -       5       smtp
   -o syslog_name=postfix-slow
   -o smtp_destination_concurrency_limit=4`
   -o slow_destination_rate_delay=1'

Dans /etc/postfix/main.cf

slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 1
slow_destination_rate_delay = 5s

regle2_destination_recipient_limit = 2
regle2_destination_concurrency_limit = 4
regle2_destination_rate_delay = 1s

Les chiffres ci-dessus sont un exemple, tu mets ce que tu veux !

1 Like

Super…
Après c’est difficile de savoir quelles règles pour ne pas être considérer comme spam et par quelle FAI… Ils nous facilite pas la tâche…

J’ai une galère, un utilisateur essaye d’envoyer plusieurs mails et les mails en .orange ne reçoit pas leurs mails…
La règle que j’ai mis

17 echo '
18 transport_maps = hash:/etc/postfix/transport
19 slow_initial_destination_concurrency=1
20 slow_destination_concurrency_limit=1
21 slow_destination_rate_delay=5' >> $postfix_main_conf
22
23 echo '
24 slow    unix    -       -       n       -       5       smtp
25    -o syslog_name=postfix-slow
26    -o smtp_destination_concurrency_limit=1
27    -o slow_destination_rate_delay=5' >> $postfix_master_conf

Et je retrouve une erreur comme celle-ci

Mar  2 18:18:23 domain postfix/trivial-rewrite[2819055]: warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport
Mar  2 18:18:23 domain postfix/qmgr[2619125]: warning: connect to transport private/orange: Connection refused
Mar  2 18:18:23 domain postfix/qmgr[2619125]: 5765F28E10B: from=<userdomain@domain.fr>, size=64395, nrcpt=1 (queue active)
Mar  2 18:18:23 domain postfix/error[2819056]: 3E0AA28E3ED: to=<personne@orange.fr>, relay=none, delay=21313, delays=21313/0.02/0/0.05, dsn=4.3.0, status=deferred (mail transport unavailable)
Mar  2 18:18:28 domain postfix/error[2819056]: 5765F28E10B: to=<personne2@orange.fr>, relay=none, delay=2153, delays=2148/5.1/0/0.06, dsn=4.3.0, status=deferred (mail transport unavailable)

Du coup je tente d’enlever ce hook et de repartir avec une configuration de départ…

Je confirme, en supprimant le hook et en lançant un regen_conf pour supprimer les règles ajoutées, les mails orange ont fonctionné…