assume scripts are running as root, dont sudo everything

scripts/mail.sh

@@ -5,7 +5,7 @@
 
 # Install packages.
 
-sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
+DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
 	postfix postgrey dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite
 
 # POSTFIX
@@ -13,8 +13,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
 mkdir -p $STORAGE_ROOT/mail
 	
 # TLS configuration
-sudo sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions)
-sudo tools/editconf.py /etc/postfix/main.cf \
+sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions)
+tools/editconf.py /etc/postfix/main.cf \
 	smtpd_use_tls=yes\
 	smtpd_tls_auth_only=yes \
 	smtp_tls_security_level=may \
@@ -24,19 +24,19 @@ sudo tools/editconf.py /etc/postfix/main.cf \
 	# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
 
 # authorization via dovecot
-sudo tools/editconf.py /etc/postfix/main.cf \
+tools/editconf.py /etc/postfix/main.cf \
 	smtpd_sasl_type=dovecot \
 	smtpd_sasl_path=private/auth \
 	smtpd_sasl_auth_enable=yes \
 	smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
 
-sudo tools/editconf.py /etc/postfix/main.cf mydestination=localhost
+tools/editconf.py /etc/postfix/main.cf mydestination=localhost
 
 # message delivery is directly to dovecot
-sudo tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp
+tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp
 
 # domain and user table is configured in a Sqlite3 database
-sudo tools/editconf.py /etc/postfix/main.cf \
+tools/editconf.py /etc/postfix/main.cf \
 	virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
 	virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
 	virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
@@ -44,17 +44,17 @@ sudo tools/editconf.py /etc/postfix/main.cf \
 
 db_path=$STORAGE_ROOT/mail/users.sqlite
 
-sudo su root -c "cat > /etc/postfix/virtual-mailbox-domains.cf" << EOF;
+cat > /etc/postfix/virtual-mailbox-domains.cf << EOF;
 dbpath=$db_path
 query = SELECT 1 FROM users WHERE email LIKE '%%@%s'
 EOF
 
-sudo su root -c "cat > /etc/postfix/virtual-mailbox-maps.cf" << EOF;
+cat > /etc/postfix/virtual-mailbox-maps.cf << EOF;
 dbpath=$db_path
 query = SELECT 1 FROM users WHERE email='%s'
 EOF
 
-sudo su root -c "cat > /etc/postfix/virtual-alias-maps.cf" << EOF;
+cat > /etc/postfix/virtual-alias-maps.cf << EOF;
 dbpath=$db_path
 query = SELECT destination FROM aliases WHERE source='%s'
 EOF
@@ -72,22 +72,22 @@ fi
 # The dovecot-imapd dovecot-lmtpd packages automatically enable those protocols.
 
 # mail storage location
-sudo tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
+tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 	mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
 	mail_privileged_group=mail \
 	first_valid_uid=0
 
 # authentication mechanisms
-sudo tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
+tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 	disable_plaintext_auth=yes \
 	"auth_mechanisms=plain login"
 
 # use SQL-based authentication, not the system users
-sudo sed -i "s/\(\!include auth-system.conf.ext\)/#\1/"  /etc/dovecot/conf.d/10-auth.conf
-sudo sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/"  /etc/dovecot/conf.d/10-auth.conf
+sed -i "s/\(\!include auth-system.conf.ext\)/#\1/"  /etc/dovecot/conf.d/10-auth.conf
+sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/"  /etc/dovecot/conf.d/10-auth.conf
 
 # how to access SQL
-sudo su root -c "cat > /etc/dovecot/conf.d/auth-sql.conf.ext" << EOF;
+cat > /etc/dovecot/conf.d/auth-sql.conf.ext << EOF;
 passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql.conf.ext
@@ -97,7 +97,7 @@ userdb {
   args = uid=mail gid=mail home=$STORAGE_ROOT/mail/mailboxes/%d/%n
 }
 EOF
-sudo su root -c "cat > /etc/dovecot/dovecot-sql.conf.ext" << EOF;
+cat > /etc/dovecot/dovecot-sql.conf.ext << EOF;
 driver = sqlite
 connect = $db_path
 default_pass_scheme = SHA512-CRYPT
@@ -106,25 +106,25 @@ EOF
 
 # disable in-the-clear IMAP and POP because we're paranoid (we haven't even
 # enabled POP).
-sudo sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf
-sudo sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
+sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf
+sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
 
 # Modify the unix socket for LMTP.
-sudo sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n    user = postfix\n    group = postfix\n/" /etc/dovecot/conf.d/10-master.conf 
+sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n    user = postfix\n    group = postfix\n/" /etc/dovecot/conf.d/10-master.conf 
 
 # Add an additional auth socket for postfix. Check if it already is
 # set to make sure this is idempotent.
-if sudo grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then
+if grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then
 	# already done
 	true;
 else
-	sudo sed -i "s/\(\s*unix_listener auth-userdb\)/  unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n    mode = 0666\n    user = postfix\n    group = postfix\n  \}\n\1/" /etc/dovecot/conf.d/10-master.conf
+	sed -i "s/\(\s*unix_listener auth-userdb\)/  unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n    mode = 0666\n    user = postfix\n    group = postfix\n  \}\n\1/" /etc/dovecot/conf.d/10-master.conf
 fi
 
 # Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root.
 
 # Enable SSL.
-sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
+tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
@@ -133,22 +133,22 @@ sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 # in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
 # use unless certificates already exist.
 mkdir -p $STORAGE_ROOT/ssl
-if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then sudo cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
-if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then sudo cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
+if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
+if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
 
-sudo chown -R mail:dovecot /etc/dovecot
-sudo chmod -R o-rwx /etc/dovecot
+chown -R mail:dovecot /etc/dovecot
+chmod -R o-rwx /etc/dovecot
 
 mkdir -p $STORAGE_ROOT/mail/mailboxes
-sudo chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
+chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
 
 # restart services
-sudo service postfix restart
-sudo service dovecot restart
+service postfix restart
+service dovecot restart
 
 # allow mail-related ports in the firewall
-sudo ufw allow smtp
-sudo ufw allow submission
-sudo ufw allow imaps
+ufw allow smtp
+ufw allow submission
+ufw allow imaps
 
 

scripts/system.sh

@@ -1,11 +1,11 @@
 # Base system configuration.
 
-sudo apt-get -q update
-sudo apt-get -q -y upgrade
+apt-get -q update
+apt-get -q -y upgrade
 
 # Basic packages.
 
-sudo apt-get -q -y install sqlite3
+apt-get -q -y install sqlite3
 
 # Turn on basic services:
 #
@@ -15,15 +15,15 @@ sudo apt-get -q -y install sqlite3
 #
 # These services don't need further configuration and are started immediately after installation.
 
-sudo apt-get install -q -y ntp fail2ban
+apt-get install -q -y ntp fail2ban
 
 # Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open
 # ports will be set up in the scripts that set up those services.
-sudo ufw allow ssh
-#sudo ufw allow domain
-#sudo ufw allow http
-#sudo ufw allow https
-sudo ufw --force enable
+ufw allow ssh
+#ufw allow domain
+#ufw allow http
+#ufw allow https
+ufw --force enable
 
 # Mount the storage volume.
 export STORAGE_ROOT=/home/ubuntu/storage