diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2026-05-27 15:39:09 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2026-05-27 15:39:09 -0400 |
| commit | d7961b803da9bc2af0503c6c23455bb4cdc54d09 (patch) | |
| tree | bdc0fe22b857e289f789e0546cebedb0aeaa32eb | |
| parent | c045f057f49b01239766b4281a8921e955cde1b0 (diff) | |
| download | infrastructure-d7961b803da9bc2af0503c6c23455bb4cdc54d09.tar.gz | |
add vultr stuff
| l--------- | files/usr/local/etc/ssh/ssh_config.turn1 | 1 | ||||
| -rw-r--r-- | files/usr/local/etc/ssh/sshd_config.turn1 | 26 | ||||
| -rw-r--r-- | files/usr/local/etc/turnserver.conf.turn_server | 25 | ||||
| -rw-r--r-- | scripts/os/freebsd/10-sysctls | 2 | ||||
| -rw-r--r-- | scripts/os/freebsd/20-ntp | 1 | ||||
| -rw-r--r-- | scripts/os/freebsd/20-zfs | 4 | ||||
| -rw-r--r-- | scripts/os/freebsd/30-mail | 2 | ||||
| -rw-r--r-- | scripts/os/freebsd/40-pkg | 18 | ||||
| -rw-r--r-- | scripts/os/freebsd/41-ssh | 38 | ||||
| -rw-r--r-- | scripts/os/freebsd/60-acme | 4 | ||||
| -rw-r--r-- | scripts/os/freebsd/90-snapshots | 2 | ||||
| -rw-r--r-- | vars/hostname/turn1 | 8 |
12 files changed, 76 insertions, 55 deletions
diff --git a/files/usr/local/etc/ssh/ssh_config.turn1 b/files/usr/local/etc/ssh/ssh_config.turn1 new file mode 120000 index 0000000..338cdba --- /dev/null +++ b/files/usr/local/etc/ssh/ssh_config.turn1 @@ -0,0 +1 @@ +ssh_config.no_idm
\ No newline at end of file diff --git a/files/usr/local/etc/ssh/sshd_config.turn1 b/files/usr/local/etc/ssh/sshd_config.turn1 new file mode 100644 index 0000000..3eb6496 --- /dev/null +++ b/files/usr/local/etc/ssh/sshd_config.turn1 @@ -0,0 +1,26 @@ +AuthorizedKeysFile .ssh/authorized_keys + +KbdInteractiveAuthentication no +PasswordAuthentication no +ChallengeResponseAuthentication no +PubkeyAuthentication yes + +PermitRootLogin prohibit-password +PermitUserEnvironment no +AllowAgentForwarding no +AllowTcpForwarding no +AllowStreamLocalForwarding no +DisableForwarding yes +GatewayPorts no +PermitTunnel no +X11Forwarding no +ChallengeResponseAuthentication no +MaxAuthTries 3 +PermitEmptyPasswords no +IgnoreRhosts yes +Protocol 2 + +UsePAM yes +UseDNS no + +Subsystem sftp /usr/local/libexec/sftp-server diff --git a/files/usr/local/etc/turnserver.conf.turn_server b/files/usr/local/etc/turnserver.conf.turn_server index dc62883..34055e2 100644 --- a/files/usr/local/etc/turnserver.conf.turn_server +++ b/files/usr/local/etc/turnserver.conf.turn_server @@ -24,29 +24,6 @@ syslog no-software-attribute no-multicast-peers -denied-peer-ip=0.0.0.0-0.255.255.255 -denied-peer-ip=10.0.0.0-10.255.255.255 -denied-peer-ip=100.64.0.0-100.127.255.255 -denied-peer-ip=127.0.0.0-127.255.255.255 -denied-peer-ip=169.254.0.0-169.254.255.255 -denied-peer-ip=172.16.0.0-172.31.255.255 -denied-peer-ip=192.0.0.0-192.0.0.255 -denied-peer-ip=192.0.2.0-192.0.2.255 -denied-peer-ip=192.88.99.0-192.88.99.255 -denied-peer-ip=192.168.0.0-192.168.255.255 -denied-peer-ip=198.18.0.0-198.19.255.255 -denied-peer-ip=198.51.100.0-198.51.100.255 -denied-peer-ip=203.0.113.0-203.0.113.255 -denied-peer-ip=240.0.0.0-255.255.255.255 -denied-peer-ip=::1 -denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff -denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 -denied-peer-ip=100::-100::ffff:ffff:ffff:ffff -denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - secure-stun # You can't drop privileges here, due to a FreeBSD issue with SO_REUSEPORT: @@ -55,7 +32,7 @@ secure-stun #proc-user=coturn #proc-group=coturn -no-cli +#no-cli no-rfc5780 no-stun-backward-compatibility response-origin-only-with-rfc5780 diff --git a/scripts/os/freebsd/10-sysctls b/scripts/os/freebsd/10-sysctls index b40186a..c8eae77 100644 --- a/scripts/os/freebsd/10-sysctls +++ b/scripts/os/freebsd/10-sysctls @@ -33,7 +33,7 @@ set_sysctl \ net.inet.tcp.minmss=536 \ net.inet.tcp.msl=2500 \ net.inet.tcp.mssdflt=1448 \ - net.inet.tcp.msl_local=1 \ + net.inet.tcp.msl_local=10 \ net.inet.tcp.path_mtu_discovery=1 \ net.inet.tcp.recvbuf_max="$tcp_buffer_size" \ net.inet.tcp.recvspace=65536 \ diff --git a/scripts/os/freebsd/20-ntp b/scripts/os/freebsd/20-ntp index 888bab4..912cf74 100644 --- a/scripts/os/freebsd/20-ntp +++ b/scripts/os/freebsd/20-ntp @@ -11,4 +11,5 @@ sysrc -v \ ntpd_enable=YES \ ntpd_sync_on_start=YES +chown ntpd /var/db/ntp/ntpd.pid service ntpd restart diff --git a/scripts/os/freebsd/20-zfs b/scripts/os/freebsd/20-zfs index 5d86df4..999016c 100644 --- a/scripts/os/freebsd/20-zfs +++ b/scripts/os/freebsd/20-zfs @@ -1,5 +1,9 @@ #!/bin/sh +if [ "${enable_zfs:-}" = false ]; then + return 0 +fi + # Every host should have a "state" dataset, which is a ZFS dataset which # persists across OS rebuilds. [ -n "${state_dataset:-}" ] || die 'state_dataset not defined!' diff --git a/scripts/os/freebsd/30-mail b/scripts/os/freebsd/30-mail index 511ce69..95649b6 100644 --- a/scripts/os/freebsd/30-mail +++ b/scripts/os/freebsd/30-mail @@ -1,6 +1,6 @@ #!/bin/sh -if [ "$BOXCONF_HOSTCLASS" = smtp_server ]; then +if [ "$BOXCONF_HOSTCLASS" = smtp_server ] || [ "${enable_mail:-}" = false ]; then return fi diff --git a/scripts/os/freebsd/40-pkg b/scripts/os/freebsd/40-pkg index b858aa1..f56f72e 100644 --- a/scripts/os/freebsd/40-pkg +++ b/scripts/os/freebsd/40-pkg @@ -7,16 +7,18 @@ case $BOXCONF_HOSTCLASS in freebsd_hypervisor) ;; # Keep default FreeBSD pkg repository. *) - # Configure on-prem pkg repository. - install_directory -m 0755 \ - /usr/local/etc/pkg \ - /usr/local/etc/pkg/repos + if [ "${enable_onprem_pkg:-}" != false ]; then + # Configure on-prem pkg repository. + install_directory -m 0755 \ + /usr/local/etc/pkg \ + /usr/local/etc/pkg/repos - install_file -m 0644 \ - /usr/local/etc/pkg/repos/repo.crt \ - /usr/local/etc/pkg/repos/FreeBSD.conf + install_file -m 0644 \ + /usr/local/etc/pkg/repos/repo.crt \ + /usr/local/etc/pkg/repos/FreeBSD.conf - install_template -m 0644 /usr/local/etc/pkg/repos/onprem.conf + install_template -m 0644 /usr/local/etc/pkg/repos/onprem.conf + fi ;; esac diff --git a/scripts/os/freebsd/41-ssh b/scripts/os/freebsd/41-ssh index 7352fc3..ea86b93 100644 --- a/scripts/os/freebsd/41-ssh +++ b/scripts/os/freebsd/41-ssh @@ -8,26 +8,28 @@ sysrc -v \ sshd_enable=NO \ openssh_enable=YES -# Create state dataset to persist SSH host keys across OS rebuilds. -create_dataset -o "mountpoint=${ssh_host_key_dir}" "${state_dataset}/ssh" +if [ "${enable_zfs:-}" != false ]; then + # Create state dataset to persist SSH host keys across OS rebuilds. + create_dataset -o "mountpoint=${ssh_host_key_dir}" "${state_dataset}/ssh" -# If the state dataset contains existing host keys, symlink them into -# /etc/ssh. -# -# If not, this is the first time we are building this box, so copy the -# autogenerated host keys to the state partition. -service openssh keygen -for key in \ - ssh_host_ecdsa_key \ - ssh_host_ed25519_key \ - ssh_host_rsa_key -do - [ -f "${ssh_host_key_dir}/${key}" ] || \ - mv -v "/usr/local/etc/ssh/${key}" "/usr/local/etc/ssh/${key}.pub" "$ssh_host_key_dir" + # If the state dataset contains existing host keys, symlink them into + # /etc/ssh. + # + # If not, this is the first time we are building this box, so copy the + # autogenerated host keys to the state partition. + service openssh keygen + for key in \ + ssh_host_ecdsa_key \ + ssh_host_ed25519_key \ + ssh_host_rsa_key + do + [ -f "${ssh_host_key_dir}/${key}" ] || \ + mv -v "/usr/local/etc/ssh/${key}" "/usr/local/etc/ssh/${key}.pub" "$ssh_host_key_dir" - ln -snvf "${ssh_host_key_dir}/${key}" "/usr/local/etc/ssh/${key}" - ln -snvf "${ssh_host_key_dir}/${key}.pub" "/usr/local/etc/ssh/${key}.pub" -done + ln -snvf "${ssh_host_key_dir}/${key}" "/usr/local/etc/ssh/${key}" + ln -snvf "${ssh_host_key_dir}/${key}.pub" "/usr/local/etc/ssh/${key}.pub" + done +fi # Copy SSH configs. install_directory -m 0755 /usr/local/etc/ssh/sshd_config.d diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme index e7f4cfc..1db8a6d 100644 --- a/scripts/os/freebsd/60-acme +++ b/scripts/os/freebsd/60-acme @@ -17,7 +17,9 @@ dhparams_path=/etc/ssl/dhparams.pem pkg install -y acme.sh # Create dataset to persist acme data across OS rebuilds. -create_dataset -o "mountpoint=${acme_home}" "${state_dataset}/acme" +if [ "${enable_zfs:-}" != false ]; then + create_dataset -o "mountpoint=${acme_home}" "${state_dataset}/acme" +fi install_directory -o "$acme_user" -g "$acme_user" -m 0750 "$acme_home" install_directory -m 0775 -o root -g "$acme_user" "$acme_cert_dir" diff --git a/scripts/os/freebsd/90-snapshots b/scripts/os/freebsd/90-snapshots index fce9c34..ce4d2eb 100644 --- a/scripts/os/freebsd/90-snapshots +++ b/scripts/os/freebsd/90-snapshots @@ -2,7 +2,7 @@ # Don't run autosnapshot within jails. Otherwise we will create duplicate # snapshots with the host system. -if [ "$BOXCONF_VIRTUALIZATION_TYPE" = jail ]; then +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = jail ] || [ "${enable_zfs:-}" = false ]; then return 0 fi diff --git a/vars/hostname/turn1 b/vars/hostname/turn1 index 86e970a..25b7e71 100644 --- a/vars/hostname/turn1 +++ b/vars/hostname/turn1 @@ -1,3 +1,9 @@ #!/bin/sh -cnames=turn +enable_mail=false +enable_idm=false +enable_onprem_pkg=false +enable_zfs=false +resolvers='108.61.10.10' +domain=sacredheartsc.com +ntp_servers='1.time.constant.com 2.time.constant.com 3.time.constant.com' |