diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2026-02-13 21:28:49 -0500 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2026-02-13 21:28:49 -0500 |
| commit | bc19ce16e4c897c6886587e429c31c8758e84994 (patch) | |
| tree | 04b64a647967c93fd9c0a3455f87a4e59bd5b8b2 | |
| parent | 3c13812cd538d7d047153b8271cb632145a92c1f (diff) | |
| download | infrastructure-bc19ce16e4c897c6886587e429c31c8758e84994.tar.gz | |
debian stuff, switch to ly
65 files changed, 948 insertions, 46 deletions
diff --git a/files/etc/aliases.debian b/files/etc/aliases.debian new file mode 100644 index 0000000..c86d883 --- /dev/null +++ b/files/etc/aliases.debian @@ -0,0 +1,2 @@ +postmaster: root +root: ${root_mail_alias} diff --git a/files/etc/autofs.conf.linux b/files/etc/autofs.conf.linux new file mode 100644 index 0000000..3138bc7 --- /dev/null +++ b/files/etc/autofs.conf.linux @@ -0,0 +1,20 @@ +[autofs] +master_map_name = /etc/auto_master +timeout = 300 +mount_verbose = yes +browse_mode = yes +logging = verbose +disable_not_found_message = yes +nount_nfs_default_protocol = 4 + +ldap_uri = ${ldap_uri} +search_base = ${automount_basedn} +map_object_class = automountMap +entry_object_class = automount +map_attribute = automountMapName +entry_attribute = automountKey +value_attribute= automountInformation +auto_conf_file = /etc/autofs_ldap_auth.conf + +[ amd ] +dismount_interval = 300 diff --git a/files/etc/autofs_ldap_auth.conf.linux b/files/etc/autofs_ldap_auth.conf.linux new file mode 100644 index 0000000..9fef857 --- /dev/null +++ b/files/etc/autofs_ldap_auth.conf.linux @@ -0,0 +1,8 @@ +<?xml version="1.0" ?> +<autofs_ldap_sasl_conf + usetls="no" + tlsrequired="no" + authrequired="yes" + authtype="GSSAPI" + clientprinc="host/${fqdn}@${realm}" +/> diff --git a/files/etc/default/grub.debian b/files/etc/default/grub.debian new file mode 100644 index 0000000..12063fe --- /dev/null +++ b/files/etc/default/grub.debian @@ -0,0 +1,7 @@ +GRUB_DEFAULT=0 +GRUB_TIMEOUT=3 +GRUB_DISTRIBUTOR="Debian" +GRUB_CMDLINE_LINUX_DEFAULT="" +GRUB_CMDLINE_LINUX="${grub_cmdline}" +GRUB_TERMINAL_OUTPUT="gfxterm serial" +GRUB_SERIAL_COMMAND="serial --speed=115200" diff --git a/files/etc/gettytab.desktop b/files/etc/gettytab.desktop new file mode 100644 index 0000000..36b417e --- /dev/null +++ b/files/etc/gettytab.desktop @@ -0,0 +1,241 @@ +# Most of the table entries here are just copies of the old getty table, +# it is by no means certain, or even likely, that any of them are optimal +# for any purpose whatever. Nor is it likely that more than a couple are +# even correct. +# +# The default gettytab entry, used to set defaults for all other +# entries, and in cases where getty is called with no table name. +# +# cb, ce and ck are desirable on most crt's. The non-crt entries need to +# be changed to turn them off (:cb@:ce@:ck@:). +# +# lc should always be on; it's a remainder of some stone age when there +# have been terminals around not being able of handling lower-case +# characters. Those terminals aren't supported any longer, but getty is +# `smart' about them by default. +# +# Parity defaults to even, but the Pc entry and all the `std' entries +# specify no parity. The different parities are: +# (none): same as ep for getty. login will use terminal as is. +# ep: getty will use raw mode (cs8 -parenb) (unless rw is set) and +# fake parity. login will use even parity (cs7 parenb -parodd). +# op: same as ep except odd parity (cs7 parenb parodd) for login. +# getty will fake odd parity as well. +# ap: same as ep except -inpck instead of inpck for login. +# ap overrides op and ep. +# np: 1. don't fake parity in getty. The fake parity garbles +# characters on non-terminals (like pccons) that don't +# support parity. It would probably better for getty not to +# try to fake parity. It could just use cbreak mode so as +# not to force cs8 and let the hardware handle the parity. +# login has to be rely on the hardware anyway. +# 2. set cs8 -parenb -istrip -inpck. +# ep:op: same as ap. +# +default:\ + :cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\ + :if=/etc/issue: + +# +# Fixed speed entries +# +# The "std.NNN" names are known to the special case +# portselector code in getty, however they can +# be assigned to any table desired. +# The "NNN-baud" names are known to the special case +# autobaud code in getty, and likewise can +# be assigned to any table desired (hopefully the same speed). +# +std:\ + :np:sp#0: +a|std.110|110-baud:\ + :np:nd#1:cd#1:uc:sp#110: +b|std.134|134.5-baud:\ + :np:nd#1:cd#2:ff#1:td#1:sp#134:ht:nl: +1|std.150|150-baud:\ + :np:nd#1:cd#2:td#1:fd#1:sp#150:ht:nl:lm=\E\72\6\6\17login\72 : +c|std.300|300-baud:\ + :np:nd#1:cd#1:sp#300: +d|std.600|600-baud:\ + :np:nd#1:cd#1:sp#600: +f|std.1200|1200-baud:\ + :np:fd#1:sp#1200: +6|std.2400|2400-baud:\ + :np:sp#2400: +7|std.4800|4800-baud:\ + :np:sp#4800: +2|std.9600|9600-baud:\ + :np:sp#9600: +g|std.19200|19200-baud:\ + :np:sp#19200: +std.38400|38400-baud:\ + :np:sp#38400: +std.57600|57600-baud:\ + :np:sp#57600: +std.115200|115200-baud:\ + :np:sp#115200: +std.230400|230400-baud:\ + :np:sp#230400: + +# +# Entry specifying explicit device settings. See termios(4) and +# /usr/include/termios.h, too. The entry forces the tty into +# CLOCAL mode (so no DCD is required), and uses Xon/Xoff flow control. +# +# cflags: CLOCAL | HUPCL | CREAD | CS8 +# oflags: OPOST | ONLCR | OXTABS +# iflags: IXOFF | IXON | ICRNL | IGNPAR +# lflags: IEXTEN | ICANON | ISIG | ECHOCTL | ECHO | ECHOK | ECHOE | ECHOKE +# +# The `0' flags don't have input enabled. The `1' flags don't echo. +# (Echoing is done inside getty itself.) +# +local.9600|CLOCAL tty @ 9600 Bd:\ + :c0#0x0000c300:c1#0x0000cb00:c2#0x0000cb00:\ + :o0#0x00000007:o1#0x00000002:o2#0x00000007:\ + :i0#0x00000704:i1#0x00000000:i2#0x00000704:\ + :l0#0x000005cf:l1#0x00000000:l2#0x000005cf:\ + :sp#9600:np: + +# +# Dial in rotary tables, speed selection via 'break' +# +0|d300|Dial-300:\ + :nx=d1200:cd#2:sp#300: +d1200|Dial-1200:\ + :nx=d150:fd#1:sp#1200: +d150|Dial-150:\ + :nx=d110:lm@:tc=150-baud: +d110|Dial-110:\ + :nx=d300:tc=300-baud: + +# +# Fast dialup terminals, 2400/1200/300 rotary (can start either way) +# +D2400|d2400|Fast-Dial-2400:\ + :nx=D1200:tc=2400-baud: +3|D1200|Fast-Dial-1200:\ + :nx=D300:tc=1200-baud: +5|D300|Fast-Dial-300:\ + :nx=D2400:tc=300-baud: + +# +#telebit (19200) +# +t19200:\ + :nx=t2400:tc=19200-baud: +t2400:\ + :nx=t1200:tc=2400-baud: +t1200:\ + :nx=t19200:tc=1200-baud: + +# +#telebit (9600) +# +t9600:\ + :nx=t2400a:tc=9600-baud: +t2400a:\ + :nx=t1200a:tc=2400-baud: +t1200a:\ + :nx=t9600:tc=1200-baud: + +# +# Odd special case terminals +# +-|tty33|asr33|Pity the poor user of this beast:\ + :tc=110-baud: + +4|Console|Console Decwriter II:\ + :nd@:cd@:rw:tc=300-baud: + +e|Console-1200|Console Decwriter III:\ + :fd@:nd@:cd@:rw:tc=1200-baud: + +i|Interdata console:\ + :uc:sp#0: + +l|lsi chess terminal:\ + :sp#300: + +X|Xwindow|X window system:\ + :fd@:nd@:cd@:rw:sp#9600: + +P|Pc|Pc console:\ + :ht:np:sp#9600: + +# +# Weirdo special case for fast crt's with hardcopy devices +# +8|T9600|CRT with hardcopy:\ + :nx=T300:tc=9600-baud: +9|T300|CRT with hardcopy (300):\ + :nx=T9600:tc=300-baud: + +# +# Plugboard, and misc other terminals +# +plug-9600|Plugboard-9600:\ + :pf#1:tc=9600-baud: +p|P9600|Plugboard-9600-rotary:\ + :pf#1:nx=P300:tc=9600-baud: +q|P300|Plugboard-300:\ + :pf#1:nx=P1200:tc=300-baud: +r|P1200|Plugboard-1200:\ + :pf#1:nx=P9600:tc=1200-baud: + +# +# XXXX Port selector +# +s|DSW|Port Selector:\ + :ps:sp#2400: + +# +# Auto-baud speed detect entry for Micom 600. +# Special code in getty will switch this out +# to one of the NNN-baud entries. +# +A|Auto-baud:\ + :ab:sp#2400:f0#040: + +# +# autologin - automatically log in as root +# + +autologin|al.9600:\ + :al=root:tc=std.9600: +al.19200:\ + :al=root:tc=std.19200: +al.38400:\ + :al=root:tc=std.38400: +al.57600:\ + :al=root:tc=std.57600: +al.115200:\ + :al=root:tc=std.115200: +al.230400:\ + :al=root:tc=std.230400: +al.Pc:\ + :al=root:tc=Pc + +# +# Entries for 3-wire serial terminals. These don't supply carrier, so +# clocal needs to be set, and crtscts needs to be unset. +# +3wire:\ + :np:nc:sp#0: +3wire.9600|9600-3wire:\ + :np:nc:sp#9600: +3wire.19200|19200-3wire:\ + :np:nc:sp#19200: +3wire.38400|38400-3wire:\ + :np:nc:sp#38400: +3wire.57600|57600-3wire:\ + :np:nc:sp#57600: +3wire.115200|115200-3wire:\ + :np:nc:sp#115200: +3wire.230400|230400-3wire:\ + :np:nc:sp#230400: + +# Ly login manager +Ly:\ + :lo=/usr/local/bin/ly_wrapper:\ + :al=root: diff --git a/files/etc/gettytab.laptop b/files/etc/gettytab.laptop new file mode 120000 index 0000000..1baef80 --- /dev/null +++ b/files/etc/gettytab.laptop @@ -0,0 +1 @@ +gettytab.desktop
\ No newline at end of file diff --git a/files/etc/gettytab.roadwarrior_laptop b/files/etc/gettytab.roadwarrior_laptop new file mode 120000 index 0000000..1baef80 --- /dev/null +++ b/files/etc/gettytab.roadwarrior_laptop @@ -0,0 +1 @@ +gettytab.desktop
\ No newline at end of file diff --git a/files/etc/hosts.freebsd b/files/etc/hosts.common index 5551ff0..5551ff0 100644 --- a/files/etc/hosts.freebsd +++ b/files/etc/hosts.common diff --git a/files/etc/ldap/ldap.conf.common b/files/etc/ldap/ldap.conf.common new file mode 120000 index 0000000..b0c8501 --- /dev/null +++ b/files/etc/ldap/ldap.conf.common @@ -0,0 +1 @@ +../../usr/local/etc/openldap/ldap.conf.common
\ No newline at end of file diff --git a/files/etc/nscd.conf.linux b/files/etc/nscd.conf.linux new file mode 100644 index 0000000..43332a3 --- /dev/null +++ b/files/etc/nscd.conf.linux @@ -0,0 +1,23 @@ +debug-level 0 +paranoia no + +enable-cache passwd yes +positive-time-to-live passwd ${nscd_ttl} +negative-time-to-live passwd ${nscd_negative_ttl} +suggested-size passwd 211 +max-db-size passwd 33554432 + +enable-cache group yes +positive-time-to-live group ${nscd_ttl} +negative-time-to-live group ${nscd_negative_ttl} +suggested-size group 211 +max-db-size group 33554432 + +enable-cache services yes +positive-time-to-live services ${nscd_ttl} +negative-time-to-live services ${nscd_negative_ttl} +suggested-size services 211 +max-db-size services 33554432 + +enable-cache netgroup no +enable-cache hosts no diff --git a/files/etc/nslcd.conf.common b/files/etc/nslcd.conf.common new file mode 120000 index 0000000..a1c53c1 --- /dev/null +++ b/files/etc/nslcd.conf.common @@ -0,0 +1 @@ +../usr/local/etc/nslcd.conf.common
\ No newline at end of file diff --git a/files/etc/nsswitch.conf.debian b/files/etc/nsswitch.conf.debian new file mode 100644 index 0000000..bf9b65c --- /dev/null +++ b/files/etc/nsswitch.conf.debian @@ -0,0 +1,12 @@ +passwd: files ldap +group: files ldap +shadow: files ldap +gshadow: files +hosts: files dns +networks: files +protocols: db files +services: db files +ethers: db files +rpc: db files +sudoers: files ldap +automount: files ldap diff --git a/files/etc/pam.d/common-account.debian b/files/etc/pam.d/common-account.debian new file mode 100644 index 0000000..ba65b50 --- /dev/null +++ b/files/etc/pam.d/common-account.debian @@ -0,0 +1,4 @@ +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so +account required pam_krb5.so diff --git a/files/etc/pam.d/common-auth.debian b/files/etc/pam.d/common-auth.debian new file mode 100644 index 0000000..394b2e9 --- /dev/null +++ b/files/etc/pam.d/common-auth.debian @@ -0,0 +1,4 @@ +auth [success=2 default=ignore] pam_krb5.so +auth [success=1 default=ignore] pam_unix.so try_first_pass nullok +auth requisite pam_deny.so +auth required pam_permit.so diff --git a/files/etc/pam.d/common-password.debian b/files/etc/pam.d/common-password.debian new file mode 100644 index 0000000..c904ed8 --- /dev/null +++ b/files/etc/pam.d/common-password.debian @@ -0,0 +1,4 @@ +password [success=2 default=ignore] pam_krb5.so +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +password requisite pam_deny.so +password required pam_permit.so diff --git a/files/etc/pam.d/common-session-noninteractive.debian b/files/etc/pam.d/common-session-noninteractive.debian new file mode 100644 index 0000000..a45cb4a --- /dev/null +++ b/files/etc/pam.d/common-session-noninteractive.debian @@ -0,0 +1,6 @@ +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session optional pam_krb5.so no_ccache +session required pam_unix.so diff --git a/files/etc/pam.d/common-session.debian b/files/etc/pam.d/common-session.debian new file mode 100644 index 0000000..4044566 --- /dev/null +++ b/files/etc/pam.d/common-session.debian @@ -0,0 +1,8 @@ +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so +session optional pam_systemd.so +session optional pam_mkhomedir.so umask=0077 +session optional pam_krb5.so diff --git a/files/etc/pam.d/login.debian b/files/etc/pam.d/login.debian new file mode 100644 index 0000000..ae726d7 --- /dev/null +++ b/files/etc/pam.d/login.debian @@ -0,0 +1,16 @@ +auth optional pam_faildelay.so delay=3000000 +auth requisite pam_nologin.so +@include common-auth +auth optional pam_group.so +account required pam_access.so nodefgroup +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default_bad] pam_selinux.so close +session required pam_loginuid.so +session [success=ok ignore=ignore module_unknown=ignore default_bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +session required pam_limits.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +@include common-password diff --git a/files/etc/pam.d/ly.freebsd b/files/etc/pam.d/ly.freebsd new file mode 100644 index 0000000..90913e3 --- /dev/null +++ b/files/etc/pam.d/ly.freebsd @@ -0,0 +1,20 @@ +# NB: FreeBSD has no pam_stack.so or substack functionality, so we can't +# try multiple authentication sources (like krb5 but fall back to pam_unix) +# if we want pam_kwallet5 to execute. +# Hence, for sddm, we try krb5 only (no local accounts). +auth sufficient pam_self.so no_warn +auth required /usr/local/lib/security/pam_krb5.so try_first_pass +auth optional pam_exec.so /usr/local/libexec/pam-create-local-homedir + +account requisite pam_securetty.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so nodefgroup +account required pam_unix.so + +session required pam_lastlog.so no_fail +session required pam_xdg.so no_fail +session required /usr/local/lib/security/pam_krb5.so +session optional /usr/local/lib/pam_mkhomedir.so mode=0700 + +password required /usr/local/lib/security/pam_krb5.so try_first_pass diff --git a/files/etc/pam.d/sshd.debian b/files/etc/pam.d/sshd.debian new file mode 100644 index 0000000..5ae2adf --- /dev/null +++ b/files/etc/pam.d/sshd.debian @@ -0,0 +1,14 @@ +@include common-auth +account required pam_nologin.so +account required pam_access.so nodefgroup +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session required pam_limits.so +session required pam_env.so +session required pam_env.so envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +@include common-password diff --git a/files/etc/postfix/main.cf.common b/files/etc/postfix/main.cf.common new file mode 100644 index 0000000..9b77c13 --- /dev/null +++ b/files/etc/postfix/main.cf.common @@ -0,0 +1,10 @@ +biff = no +mydestination = +relayhost = [${smtp_host}] +mynetworks_style = host +inet_interfaces = loopback-only +smtp_tls_CAfile = ${site_cacert_path} +smtp_tls_security_level = may +virtual_alias_maps = hash:/etc/aliases +smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination +inet_protocols = ipv4 diff --git a/files/etc/profile.d/local-homedir.sh.common b/files/etc/profile.d/local-homedir.sh.common index 422e967..5906de8 100644 --- a/files/etc/profile.d/local-homedir.sh.common +++ b/files/etc/profile.d/local-homedir.sh.common @@ -9,6 +9,8 @@ fi LOCAL_HOME="/usr/local/home/${USER}" +ln -snf "$LOCAL_HOME" "${HOME}/localdisk" + export PYTHONUSERBASE="${LOCAL_HOME}/.local" export npm_config_cache="${LOCAL_HOME}/.npm" export CARGO_HOME="${LOCAL_HOME}/.cargo" diff --git a/files/etc/security/access.conf.debian b/files/etc/security/access.conf.debian new file mode 100644 index 0000000..02c4837 --- /dev/null +++ b/files/etc/security/access.conf.debian @@ -0,0 +1,12 @@ ++:root:ALL ++:${icinga_local_user}:ALL +$(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then + printf -- '-:ALL EXCEPT ' +if [ -n "${login_access_groups:-}" ]; then + printf '(%s) ' ${login_access_groups} +fi +if [ -n "${login_access_users:-}" ]; then + printf '%s ' ${login_access_users} +fi + printf ':ALL\n' +fi) diff --git a/files/etc/ssh/ssh_config.common b/files/etc/ssh/ssh_config.common new file mode 120000 index 0000000..48ea566 --- /dev/null +++ b/files/etc/ssh/ssh_config.common @@ -0,0 +1 @@ +../../usr/local/etc/ssh/ssh_config.common
\ No newline at end of file diff --git a/files/etc/ssh/sshd_config.debian b/files/etc/ssh/sshd_config.debian new file mode 100644 index 0000000..bca5ece --- /dev/null +++ b/files/etc/ssh/sshd_config.debian @@ -0,0 +1,17 @@ +Include /etc/ssh/sshd_config.d/*.conf + +AcceptEnv LANG LC_* +PermitRootLogin prohibit-password +AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysCommand /usr/local/libexec/idm-ssh-authorized-keys %u +AuthorizedKeysCommandUser ${ssh_authzkeys_username} + +KbdInteractiveAuthentication no +PasswordAuthentication yes + +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes +UsePAM yes +UseDNS no + +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/files/etc/systemd/system/data.mount.linux b/files/etc/systemd/system/data.mount.linux new file mode 100644 index 0000000..0be58fa --- /dev/null +++ b/files/etc/systemd/system/data.mount.linux @@ -0,0 +1,12 @@ +[Unit] +Description=Boxconf data mount + +[Mount] +What=/dev/disk/by-uuid/$(blkid "$data_partition" -s UUID -o value) +Where=${data_mountpoint} +Type=ext4 +Options=defaults,rw,relatime,discard +TimeoutSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/files/etc/systemd/timesyncd.conf.linux b/files/etc/systemd/timesyncd.conf.linux new file mode 100644 index 0000000..4bbcee9 --- /dev/null +++ b/files/etc/systemd/timesyncd.conf.linux @@ -0,0 +1,3 @@ +[Time] +NTP=${ntp_servers:-} ${ntp_pools:-} +FallbackNTP= diff --git a/files/etc/ttys.desktop b/files/etc/ttys.desktop new file mode 100644 index 0000000..6e5d27b --- /dev/null +++ b/files/etc/ttys.desktop @@ -0,0 +1,24 @@ +console none unknown off insecure +# +ttyv0 "/usr/libexec/getty Pc" xterm onifexists secure +# Virtual terminals +ttyv1 "/usr/libexec/getty Ly" xterm onifexists secure +ttyv2 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv3 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv4 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv5 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv6 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv7 "/usr/libexec/getty Pc" xterm onifexists secure +ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure +# Serial terminals +# The 'dialup' keyword identifies dialin lines to login, fingerd etc. +ttyu0 "/usr/libexec/getty 3wire.115200" vt100 onifexists secure +ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole secure +ttyu2 "/usr/libexec/getty 3wire" vt100 onifconsole secure +ttyu3 "/usr/libexec/getty 3wire" vt100 onifconsole secure +# Dumb console +dcons "/usr/libexec/getty std.9600" vt100 off secure +# Xen Virtual console +xc0 "/usr/libexec/getty Pc" xterm onifconsole secure +# RISC-V HTIF console +rcons "/usr/libexec/getty std.9600" vt100 onifconsole secure diff --git a/files/etc/ttys.laptop b/files/etc/ttys.laptop new file mode 120000 index 0000000..2388b6f --- /dev/null +++ b/files/etc/ttys.laptop @@ -0,0 +1 @@ +ttys.desktop
\ No newline at end of file diff --git a/files/etc/ttys.roadwarrior_laptop b/files/etc/ttys.roadwarrior_laptop new file mode 120000 index 0000000..2388b6f --- /dev/null +++ b/files/etc/ttys.roadwarrior_laptop @@ -0,0 +1 @@ +ttys.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/ly/config.ini.desktop b/files/usr/local/etc/ly/config.ini.desktop new file mode 100644 index 0000000..517ada7 --- /dev/null +++ b/files/usr/local/etc/ly/config.ini.desktop @@ -0,0 +1,87 @@ +allow_empty_password = true +animation = none +animation_timeout_sec = 0 +asterisk = * +auth_fails = 0 +battery_id = null +auto_login_service = ly-autologin +auto_login_session = null +auto_login_user = null +bg = 0x00000000 +bigclock = none +bigclock_12hr = false +bigclock_seconds = false +blank_box = true +border_fg = 0x00FFFFFF +box_title = null +brightness_down_cmd = /usr/bin/backlight - 10 +brightness_down_key = F5 +brightness_down_cmd = /usr/bin/backlight + 10 +brightness_up_key = F6 +clear_password = true +clock = %A %B %e, %Y %l:%M %p +cmatrix_fg = 0x0000FF00 +cmatrix_head_col = 0x01FFFFFF +cmatrix_min_codepoint = 0x21 +cmatrix_max_codepoint = 0x7B +colormix_col1 = 0x00FF0000 +colormix_col2 = 0x000000FF +colormix_col3 = 0x20000000 +custom_sessions = /usr/local/etc/ly/custom-sessions +default_input = password +doom_fire_height = 6 +doom_fire_spread = 2 +doom_top_color = 0x009F2707 +doom_middle_color = 0x00C78F17 +doom_bottom_color = 0x00FFFFFF +dur_file_path = /usr/local/etc/ly/example.dur +dur_x_offset = 0 +dur_y_offset = 0 +edge_margin = 0 +error_bg = 0x00000000 +error_fg = 0x01FF0000 +fg = 0x00FFFFFF +full_color = true +gameoflife_entropy_interval = 10 +gameoflife_fg = 0x0000FF00 +gameoflife_frame_delay = 6 +gameoflife_initial_density = 0.4 +hibernate_cmd = null +hibernate_key = F4 +hide_borders = false +hide_key_hints = true +hide_keyboard_locks = false +hide_version_string = true +inactivity_cmd = null +inactivity_delay = 0 +initial_info_text = null +input_len = 34 +lang = en +login_cmd = null +login_defs_path = /etc/login.defs +logout_cmd = null +ly_log = /var/log/ly.log +margin_box_h = 2 +margin_box_v = 1 +min_refresh_delta = 5 +numlock = false +path = null +restart_cmd = null +restart_key = F2 +save = true +service_name = ly +session_log = .local/state/ly-session.log +setup_cmd = /usr/local/etc/ly/setup.sh +shutdown_cmd = null +shutdown_key = F1 +sleep_cmd = null +sleep_key = F3 +start_cmd = null +text_in_center = false +vi_default_mode = normal +vi_mode = false +waylandsessions = /usr/local/share/wayland-sessions +x_cmd = /usr/local/bin/X +xauth_cmd = /usr/local/bin/xauth +xinitrc = null +xsessions = null diff --git a/files/usr/local/etc/ly/config.ini.laptop b/files/usr/local/etc/ly/config.ini.laptop new file mode 120000 index 0000000..a624fa9 --- /dev/null +++ b/files/usr/local/etc/ly/config.ini.laptop @@ -0,0 +1 @@ +config.ini.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/ly/config.ini.roadwarrior_laptop b/files/usr/local/etc/ly/config.ini.roadwarrior_laptop new file mode 120000 index 0000000..a624fa9 --- /dev/null +++ b/files/usr/local/etc/ly/config.ini.roadwarrior_laptop @@ -0,0 +1 @@ +config.ini.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 1f4891a..8a61cbb 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -51,7 +51,10 @@ misc_kdeedu_UNSET=KITEN misc_kdeutils_UNSET=FILELIGHT KTEATIME KDF multimedia_ffmpeg_SET=OPENSSL VIDSTAB multimedia_ffmpeg_UNSET=GNUTLS +multimedia_kdemultimedia_UNSET=DRAGON multimedia_kdenlive_UNSET=DVDWIZARD +multimedia_qt6-multimedia_SET=FFMPEG +multimedia_qt6-multimedia_UNSET=GSTREAMER multimedia_mpv_SET=CDIO LIBBLURAY multimedia_mpv_UNSET=NVDEC multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM @@ -100,4 +103,3 @@ www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_DAV_EXT www_nginx_UNSET=MAIL x11-toolkits_gtk30_UNSET=COLORD BROADWAY x11_kde_UNSET=KDEADMIN -#x11_libinput_UNSET=LIBWACOM diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 63c2bf6..17b49be 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -79,6 +79,7 @@ misc/kdeutils misc/php${php_version}-calendar misc/terminfo-db multimedia/handbrake +multimedia/haruna multimedia/kdemultimedia multimedia/libdvdcss multimedia/libva-intel-media-driver @@ -87,12 +88,11 @@ multimedia/libvdpau-va-gl multimedia/mpv multimedia/phonon-mpv multimedia/simplescreenrecorder -multimedia/smplayer multimedia/v4l-utils multimedia/v4l_compat multimedia/vdpauinfo -multimedia/vlc multimedia/webcamd +net-im/dino net-im/farstream net-im/gajim net-im/prosody @@ -140,14 +140,13 @@ security/kstart security/openssh-portable security/pam_krb5@mit security/pam_mkhomedir -security/pam_mkhomedir security/php${php_version}-filter security/py-omemo-dr security/sshpass security/sudo security/vaultwarden security/wpa_supplicant -sysutils/android-file-transfer-qt5 +sysutils/android-file-transfer sysutils/coreutils sysutils/cpu-microcode sysutils/htop @@ -195,9 +194,10 @@ x11-fonts/terminus-font x11-fonts/terminus-ttf x11-fonts/ubuntu-font x11-fonts/webfonts -x11-themes/sddm-freebsd-black-theme +x11-themes/plasma6-breeze-gtk x11-toolkits/gtksourceview4 x11/kde +x11/ly x11/sddm x11/xev x11/xorg diff --git a/files/usr/local/etc/ssh/ssh_config.freebsd b/files/usr/local/etc/ssh/ssh_config.common index 9be624a..9be624a 100644 --- a/files/usr/local/etc/ssh/ssh_config.freebsd +++ b/files/usr/local/etc/ssh/ssh_config.common diff --git a/files/usr/local/lib/firefox/distribution/policies.json.desktop b/files/usr/local/lib/firefox/distribution/policies.json.desktop index d079eb8..f03055b 100644 --- a/files/usr/local/lib/firefox/distribution/policies.json.desktop +++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop @@ -219,10 +219,6 @@ "browser.newtabpage.activity-stream.feeds.section.topstories": { "Value": false, "Status": "locked" - }, - "media.cubeb.backend": { - "Value": "oss", - "Status": "locked" } } } diff --git a/files/usr/local/libexec/idm-autofs-map.common b/files/usr/local/libexec/idm-autofs-map.common index 296bf91..ea9e2c9 100644 --- a/files/usr/local/libexec/idm-autofs-map.common +++ b/files/usr/local/libexec/idm-autofs-map.common @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/files/usr/local/libexec/idm-ssh-authorized-keys.common b/files/usr/local/libexec/idm-ssh-authorized-keys.common index ef7ba3c..b6bc128 100644 --- a/files/usr/local/libexec/idm-ssh-authorized-keys.common +++ b/files/usr/local/libexec/idm-ssh-authorized-keys.common @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/files/usr/local/libexec/idm-ssh-known-hosts.common b/files/usr/local/libexec/idm-ssh-known-hosts.common index 3bbcf65..4ef3ca7 100644 --- a/files/usr/local/libexec/idm-ssh-known-hosts.common +++ b/files/usr/local/libexec/idm-ssh-known-hosts.common @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common index b1ecef5..2d30d06 100644 --- a/files/usr/local/libexec/pam-create-local-homedir.common +++ b/files/usr/local/libexec/pam-create-local-homedir.common @@ -1,4 +1,3 @@ #!/bin/sh install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/usr/local/home/${PAM_USER}" -install -o "$PAM_USER" -g "$PAM_USER" -l s "/usr/local/home/${PAM_USER}" "/home/${PAM_USER}/localdisk" diff --git a/lib/40-pkg b/lib/40-pkg new file mode 100644 index 0000000..fce4365 --- /dev/null +++ b/lib/40-pkg @@ -0,0 +1,19 @@ +#!/bin/sh + +install_package(){ + case $BOXCONF_DISTRO in + freebsd) + pkg install -y "$@" + ;; + debian) + [ -f /var/cache/apt/pkgcache.bin ] || apt-get update -y + DEBIAN_FRONTEND=noninteractive apt-get -y \ + -o APT::Install-Recommends=false \ + -o APT::Install-Suggests=false \ + install "$@" + ;; + *) + die "install_package unimplemented for ${BOXCONF_OS}" + ;; + esac +} diff --git a/lib/40-user b/lib/40-user index bb3fc05..39c46af 100644 --- a/lib/40-user +++ b/lib/40-user @@ -75,8 +75,32 @@ add_user(){ ${_bcau_grouplist:+-G ${_bcau_grouplist}} \ ${_bcau_pgroup:+-g ${_bcau_pgroup}} \ ${_bcau_uid:+-u ${_bcau_uid}} + ;; + linux) + if getent passwd "$_bcau_username" > /dev/null 2>&1; then + log "local user ${_bcau_username} already exists" + return 0 + fi + + if [ -z "${_bcau_pgroup:-}" ] && [ -n "${_bcau_uid:-}" ]; then + getent group "$_bcau_username" > /dev/null 2>&1 \ + || groupadd -g "$_bcau_uid" "$_bcau_username" + _bcau_pgroup=$_bcau_username + fi - log "added local user ${_bcau_username}" + useradd \ + -c "$_bcau_comment" \ + -s "$_bcau_shell" \ + -d "$_bcau_homedir" \ + ${_bcau_create_homedir:+-m} \ + ${_bcau_grouplist:+-G ${_bcau_grouplist}} \ + ${_bcau_pgroup:+-g ${_bcau_pgroup}} \ + ${_bcau_uid:+-u ${_bcau_uid}} \ + "$_bcau_username" + + if [ "${_bcau_create_homedir:-}" = true ]; then + chmod "$_bcau_homedir_mode" "$(getent passwd cullum | cut -d: -f6)" + fi ;; *) die "add_user unimplemented for ${BOXCONF_OS}" @@ -86,6 +110,8 @@ add_user(){ if [ -n "${_bcau_password}" ]; then set_password "$_bcau_user" "$_bcau_password" fi + + log "added local user ${_bcau_username}" } add_group(){ @@ -111,10 +137,19 @@ add_group(){ fi pw groupadd -n "$_bcag_groupname" ${_bcag_gid:+-g ${_bcag_gid}} - log "added local group ${_bcag_groupname}" + ;; + linux) + if getent group "$_bcag_groupname" > /dev/null 2>&1; then + log "local group ${_bcag_groupname} already exists" + return 0 + fi + + groupadd ${_bcag_gid:+-g ${_bcag_gid}} "$_bcag_groupname" ;; *) die "add_group unimplemented for ${BOXCONF_OS}" ;; esac + + log "added local group ${_bcag_groupname}" } diff --git a/scripts/distro/debian/10-locale b/scripts/distro/debian/10-locale new file mode 100644 index 0000000..fd782e7 --- /dev/null +++ b/scripts/distro/debian/10-locale @@ -0,0 +1,8 @@ +#!/bin/sh + +cat <<EOF | debconf-set-selections +locales locales/default_environment_locale multiselect en_US.UTF-8 +locales locales/locales_to_be_generated multiselect en_US.UTF-8 +EOF + +localectl set-locale en_US.UTF-8 diff --git a/scripts/distro/debian/20-apt b/scripts/distro/debian/20-apt new file mode 100644 index 0000000..f58159e --- /dev/null +++ b/scripts/distro/debian/20-apt @@ -0,0 +1,3 @@ +#!/bin/sh + +apt-get remove -y unattended-upgrades diff --git a/scripts/distro/debian/20-hostname b/scripts/distro/debian/20-hostname new file mode 100644 index 0000000..1c2a97d --- /dev/null +++ b/scripts/distro/debian/20-hostname @@ -0,0 +1,5 @@ +#!/bin/sh + +# Set the fully qualified hostname. +hostnamectl hostname "${BOXCONF_HOSTNAME}.${domain}" +install_template -m 0644 /etc/hosts diff --git a/scripts/distro/debian/20-motd b/scripts/distro/debian/20-motd new file mode 100644 index 0000000..cb1f8fc --- /dev/null +++ b/scripts/distro/debian/20-motd @@ -0,0 +1,4 @@ +#!/bin/sh + +# Disable motd. +rm -f /etc/motd diff --git a/scripts/distro/debian/20-ntp b/scripts/distro/debian/20-ntp new file mode 100644 index 0000000..cacdb72 --- /dev/null +++ b/scripts/distro/debian/20-ntp @@ -0,0 +1,7 @@ +#!/bin/sh + +install_template -m 0644 /etc/systemd/timesyncd.conf + +timedatectl set-local-rtc false +timedatectl set-ntp true +systemctl restart systemd-timesyncd diff --git a/scripts/distro/debian/20-root-ca b/scripts/distro/debian/20-root-ca new file mode 100644 index 0000000..c7527bd --- /dev/null +++ b/scripts/distro/debian/20-root-ca @@ -0,0 +1,4 @@ +#!/bin/sh + +install_ca_certificate "$site_cacert_path" +update-ca-certificates diff --git a/scripts/distro/debian/20-state-volume b/scripts/distro/debian/20-state-volume new file mode 100644 index 0000000..c70e239 --- /dev/null +++ b/scripts/distro/debian/20-state-volume @@ -0,0 +1,22 @@ +#!/bin/sh + +data_mountpoint=/data +mountpoint "$data_mountpoint" && return 0 + +_partdev(){ + case $1 in + /dev/nvme*) echo "${1}p${2}" ;; + *) echo "${1}${2}" ;; + esac +} + +data_disk=$(lsblk --noheading --nodeps --output path,type,pttype | awk '$2 == "disk" && $3 == "" { print $1; exit}') +[ -n "$data_disk" ] || die "cannot find suitable disk for ${data_mountpoint}" + +sgdisk "$data_disk" --new=0:0:0 --change-name=0:boxconf-data --typecode=0:8e00 +data_partition=$(_partdev "$data_disk" 1) +mkfs.ext4 -F "$data_partition" + +install_directory -m 0755 "$data_mountpoint" +install_template -m 0644 /etc/systemd/system/data.mount +systemctl enable --now data.mount diff --git a/scripts/distro/debian/20-timezone b/scripts/distro/debian/20-timezone new file mode 100644 index 0000000..c252603 --- /dev/null +++ b/scripts/distro/debian/20-timezone @@ -0,0 +1,3 @@ +#!/bin/sh + +timedatectl set-timezone "$timezone" diff --git a/scripts/distro/debian/30-grub b/scripts/distro/debian/30-grub new file mode 100644 index 0000000..1506658 --- /dev/null +++ b/scripts/distro/debian/30-grub @@ -0,0 +1,12 @@ +#!/bin/sh + +old_md5=$(md5sum /etc/default/grub) + +install_template -m 0644 /etc/default/grub +new_md5=$(md5sum /etc/default/grub) + +update-grub + +if [ "$old_md5" != "$new_md5" ]; then + BOXCONF_NEED_REBOOT=true +fi diff --git a/scripts/distro/debian/30-mail b/scripts/distro/debian/30-mail new file mode 100644 index 0000000..d6c4393 --- /dev/null +++ b/scripts/distro/debian/30-mail @@ -0,0 +1,12 @@ +#!/bin/sh + +install_package postfix + +install_template \ + /etc/postfix/main.cf \ + /etc/aliases + +newaliases + +systemctl enable postfix +systemctl restart postfix diff --git a/scripts/distro/debian/30-skel b/scripts/distro/debian/30-skel new file mode 100644 index 0000000..4e4f119 --- /dev/null +++ b/scripts/distro/debian/30-skel @@ -0,0 +1,6 @@ +#!/bin/sh + +rm -f \ + /etc/skel/.bash_logout \ + /etc/skel/.bashrc \ + /etc/skel/.profile diff --git a/scripts/distro/debian/40-machine-id b/scripts/distro/debian/40-machine-id new file mode 100644 index 0000000..9c80b5d --- /dev/null +++ b/scripts/distro/debian/40-machine-id @@ -0,0 +1,19 @@ +#!/bin/sh + +# Make sure a machine id exists. +dbus-uuidgen --ensure=/etc/machine-id +old_machine_id=$(cat /etc/machine-id) + +# Persist the machine id to the data partition. +if ! [ -f "${data_mountpoint}/machine-id" ]; then + cp -pv /etc/machine-id "${data_mountpoint}/machine-id" +fi + +# Copy the stored machine id to the live location. +cp -pv "${data_mountpoint}/machine-id" /etc/machine-id +new_machine_id=$(cat /etc/machine-id) + +# If the machine id was changed, reboot. +if [ "$old_machine_id" != "$new_machine_id" ]; then + BOXCONF_NEED_REBOOT=true +fi diff --git a/scripts/distro/debian/41-ssh b/scripts/distro/debian/41-ssh new file mode 100644 index 0000000..f0877e2 --- /dev/null +++ b/scripts/distro/debian/41-ssh @@ -0,0 +1,25 @@ +#!/bin/sh + +install_directory -m 0755 "$ssh_host_key_dir" + +for key in \ + ssh_host_ecdsa_key \ + ssh_host_ed25519_key \ + ssh_host_rsa_key +do + [ -f "${ssh_host_key_dir}/${key}" ] || \ + mv -v "/etc/ssh/${key}" "/etc/ssh/${key}.pub" "$ssh_host_key_dir" + + ln -snvf "${ssh_host_key_dir}/${key}" "/etc/ssh/${key}" + ln -snvf "${ssh_host_key_dir}/${key}.pub" "/etc/ssh/${key}.pub" +done + +# Copy SSH configs. +install_template -m 0644 \ + /etc/ssh/sshd_config \ + /etc/ssh/ssh_config + +rm -f /etc/ssh/sshd_config.d/50-cloud-init.conf + +systemctl enable --now ssh +systemctl restart ssh diff --git a/scripts/distro/debian/42-icinga b/scripts/distro/debian/42-icinga new file mode 120000 index 0000000..bd84ebc --- /dev/null +++ b/scripts/distro/debian/42-icinga @@ -0,0 +1 @@ +../../os/freebsd/42-icinga
\ No newline at end of file diff --git a/scripts/distro/debian/50-idm b/scripts/distro/debian/50-idm new file mode 100644 index 0000000..7774556 --- /dev/null +++ b/scripts/distro/debian/50-idm @@ -0,0 +1,139 @@ +#!/bin/sh + +if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then + return 0 +fi + +install_package \ + krb5-user \ + ldap-utils \ + libldap-common \ + libnss-ldapd \ + libpam-krb5 \ + libsasl2-modules-gssapi-mit \ + nscd \ + nslcd \ + libnet-ldap-perl \ + libauthen-sasl-perl \ + libgssapi-perl \ + sudo-ldap + +install_template -m 0644 \ + /etc/krb5.conf \ + /etc/nscd.conf \ + /etc/nslcd.conf \ + /etc/ldap/ldap.conf \ + /etc/security/access.conf + +install_file -m 0644 \ + /etc/nsswitch.conf \ + /etc/pam.d/common-auth \ + /etc/pam.d/common-account \ + /etc/pam.d/common-session \ + /etc/pam.d/common-session-noninteractive \ + /etc/pam.d/common-password \ + /etc/pam.d/login \ + /etc/pam.d/sshd + +install_directory -m 0755 /usr/local/etc/openldap +ln -snfv /etc/ldap/ldap.conf /etc/sudo-ldap.conf +ln -snfv /etc/ldap/ldap.conf /usr/local/etc/openldap/ldap.conf + +install_directory -m 0755 "$keytab_dir" + +# Script to create /usr/local/home/${USER} on login. +install_directory -m 0755 "${data_mountpoint}/home" +ln -snfv "${data_mountpoint}/home" /usr/local/home +install_file -m 0555 /usr/local/libexec/pam-create-local-homedir + +# Create host object (if it doesn't exist). +ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF +objectClass: device +objectClass: domainRelatedObject +objectClass: ldapPublicKey +cn: ${BOXCONF_HOSTNAME} +associatedDomain: ${fqdn} +$(cat /etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /') +description: Debian ${BOXCONF_OS_VERSION} ${BOXCONF_HOSTCLASS} +EOF + +# Create A record. +ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain +objectClass: domainRelatedObject +dc: ${BOXCONF_HOSTNAME} +aRecord: ${BOXCONF_DEFAULT_IPV4} +associatedDomain: ${fqdn} +EOF + +# Create PTR record. +rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4") +ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +dc: ${rdns%%.*} +pTRRecord: ${fqdn} +associatedDomain: ${rdns} +EOF + +# Create CNAME records. +for cname in ${cnames:-}; do + ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain +objectClass: domainRelatedObject +dc: ${cname} +cNAMERecord: ${fqdn} +associatedDomain: ${cname}.${domain} +EOF +done + +# Update attributes that may have changed. +ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF +replace: sshPublicKey +$(cat /etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /') +- +replace: description +description: Debian ${BOXCONF_OS_VERSION} ${BOXCONF_HOSTCLASS} +EOF + +# Create host principal and keytab. +add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}" +ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}" +ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab + +# Create local group for host keytab access. +add_group -g "$host_keytab_gid" "$host_keytab_groupname" +chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab" +chmod 640 "${keytab_dir}/host.keytab" +usermod -a -G "$host_keytab_groupname" "$nslcd_user" + +# Create symlinks so host keytab can be used to aquire a TGT on-the-fly. +nslcd_uid=$(id -u "$nslcd_user") +install_directory -m 0755 \ + /var/lib/krb5 \ + /var/lib/krb5/user + +install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}" +ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab" + +install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}" +ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab" + +install_directory -o root -m 0700 /var/krb5/user/0 +ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab +ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab + +# Copy IDM helper scripts for SSH. +install_file -m 0555 \ + /usr/local/libexec/idm-ssh-known-hosts \ + /usr/local/libexec/idm-ssh-authorized-keys + +# Create user for running SSH AuthorizedKeysCommand. +add_user \ + -u "$ssh_authzkeys_uid" \ + -g "$host_keytab_groupname" \ + -d /nonexistent \ + "$ssh_authzkeys_username" + +systemctl enable nscd.service nslcd.service +systemctl restart nscd.service nslcd.service diff --git a/scripts/distro/debian/51-autofs b/scripts/distro/debian/51-autofs new file mode 100644 index 0000000..2b117b6 --- /dev/null +++ b/scripts/distro/debian/51-autofs @@ -0,0 +1,21 @@ +#!/bin/sh + +if [ "$BOXCONF_HOSTCLASS" = nfs_server ] || \ + [ "${enable_idm:-}" = false ] || \ + [ "${enable_autofs:-}" = false ]; then + return 0 +fi + +install_package \ + autofs \ + autofs-ldap + +install_template -m 0644 \ + /etc/auto_master \ + /etc/autofs_ldap_auth.conf \ + /etc/autofs.conf +install_template -m 0600 \ + /etc/autofs_ldap_auth.conf + +systemctl enable --now autofs.service +systemctl restart autofs.service diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index 13277b6..67090e7 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -1,15 +1,12 @@ #!/bin/sh : ${desktop_access_gid:='40000'} -: ${sddm_min_uid:='10000'} -: ${sddm_max_uid:='19999'} : ${cups_host:='cups'} : ${ublock_whitelist:=''} : ${chrome_flags:=''} : ${digikam_db_users:=''} : ${digikam_db_host:="$mysql_host"} -sddm_user=sddm cups_conf_dir=/usr/local/etc/cups if [ "${enable_idm:-}" = false ]; then @@ -68,27 +65,15 @@ service webcamd status || service webcamd start install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop install_file -m 0555 /usr/local/libexec/nss-trust-root-ca -# Add sddm user to drm access group. -pw groupmod "$desktop_access_role" -m "$sddm_user" - # Install gajim desktop file. install_file -m 0644 /usr/local/share/applications/gajim.desktop # Configure pam services. -install_file -m 0644 \ - /etc/pam.d/sddm \ - /etc/pam.d/kde - -# Copy SDDM config file. -install_template -m 0644 /usr/local/etc/sddm.conf -install_file -m 0644 /usr/local/share/sddm/theme.conf.user +install_file -m 0644 /etc/pam.d/kde # Create profile script for KDE environment variables. install_file -m 0644 /etc/profile.d/kde.sh -# Create SDDM local homedir. -install_directory -o sddm -g sddm -m 0700 /usr/local/home/sddm - # Create shutdown script to cleanup lingering processes. install_directory -m 0755 \ /usr/local/etc/xdg/plasma-workspace \ @@ -105,8 +90,13 @@ install_file -m 0644 /usr/local/etc/xdg/baloofilerc # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175 install_file -m 0644 /usr/local/etc/xdg/kdeglobals -# Enable sddm. -sysrc -v sddm_enable=YES +# Configure ly console login manager. +sysrc -v sddm_enable=NO +install_file -m 0644 \ + /etc/gettytab \ + /etc/ttys \ + /usr/local/etc/ly/config.ini \ + /etc/pam.d/ly # Tune sysctls for desktop usage. set_sysctl \ @@ -182,9 +172,6 @@ set_sysctl kern.vt.suspendswitch="${vt_suspendswitch:-1}" # Generate mpv configuration. install_template -m 0644 /usr/local/etc/mpv/mpv.conf -# Start login manager. -service sddm status || service sddm start > /dev/null 2>&1 < /dev/null || die 'failed to start sddm' - # Create users for digikam db. for user in $digikam_db_users; do mysql_create_user "$digikam_db_host" "$user" gssapi diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs index a7153d4..1363a9e 100644 --- a/scripts/hostname/nfs1/30-autofs +++ b/scripts/hostname/nfs1/30-autofs @@ -1,6 +1,6 @@ #!/bin/sh -nfs_mount_opts='-nfsv4,gssname=host,sec=krb5p' +nfs_mount_opts='-nfsv4,gssname=host,sec=sys,vers=4,port=2049,proto=tcp' # /home: auto_home ldap_add "automountKey=/home,automountMapName=auto_master,${automount_basedn}" <<EOF diff --git a/scripts/os/freebsd/42-icinga b/scripts/os/freebsd/42-icinga index 9ac2067..27afcab 100644 --- a/scripts/os/freebsd/42-icinga +++ b/scripts/os/freebsd/42-icinga @@ -4,7 +4,7 @@ if [ "$BOXCONF_HOSTCLASS" = icinga_server ]; then return 0 fi -pkg install -y monitoring-plugins +install_package monitoring-plugins add_user \ -c 'Icinga pseudo-user' \ diff --git a/scripts/os/freebsd/51-autofs b/scripts/os/freebsd/51-autofs index 0ad814f..a80f7b8 100644 --- a/scripts/os/freebsd/51-autofs +++ b/scripts/os/freebsd/51-autofs @@ -21,7 +21,9 @@ sysrc -v \ nfs_client_enable=YES \ nfscbd_enable=NO \ nfscbd_flags="-p ${nfscbd_port} -P host" \ - autofs_enable=YES + autofs_enable=YES \ + automount_env="PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ + automountd_env="PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ install_file -m 0644 /etc/auto_master install_file -m 0555 /usr/local/libexec/idm-autofs-map diff --git a/vars/distro/debian b/vars/distro/debian new file mode 100644 index 0000000..56abb79 --- /dev/null +++ b/vars/distro/debian @@ -0,0 +1,8 @@ +#!/bin/sh + +data_mountpoint=/data +nslcd_user=nslcd +site_cacert_path=/usr/local/share/ca-certificates/ca.crt +keytab_dir="${data_mountpoint}/keytabs" +ssh_host_key_dir="${data_mountpoint}/ssh" +grub_cmdline="ipv6.disable=1 console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 consoleblank=0" diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop index 3a063ec..d77d36b 100644 --- a/vars/hostclass/desktop +++ b/vars/hostclass/desktop @@ -18,9 +18,6 @@ enable_serial_console=false # UID/GID hiding breaks consolekit and KDE screen locker. see_other_uids=1 -# Chromium seems to need this to enable VAAPI video decoding on intel. -chrome_flags='--enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan' - # Default mpv configs mpv_vo=gpu-next mpv_direct_rendering=yes @@ -36,13 +33,14 @@ gsound" # kwalletd requires socat? desktop_packages=" ${gajim_packages} -android-file-transfer-qt5 +android-file-transfer android-tools bind-tools ca_root_nss cantarell-fonts chromium digikam +dino droid-fonts-ttf eclipse elisa @@ -56,6 +54,7 @@ git gnupg gtksourceview4 handbrake +haruna hs-pandoc inconsolata-ttf jq @@ -80,13 +79,13 @@ password-store pdftk pim-sieve-editor phonon-mpv +plasma6-breeze-gtk postgresql${postgresql_version}-client pulseaudio py${python_version}-pip python roboto-fonts-ttf rsync -sddm signal-desktop sndio socat @@ -99,7 +98,6 @@ tree ubuntu-font v4l-utils v4l_compat -vlc vdpauinfo webcamd webfonts |