huge amount of fixes

author: Cullum Smith <cullum@sacredheartsc.com> 2024-10-15 23:35:53 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-10-15 23:35:53 -0400
commit: 145668c3dd67c5271eddcb62d1e7843487d768a7 (patch)
tree: 4c7d563e9d320e6b122ee3dbf048d93eee6776c3 /files/etc
parent: b2af400a1098ebf445575d169e11a6717867045f (diff)
download: infrastructure-145668c3dd67c5271eddcb62d1e7843487d768a7.tar.gz
16 files changed, 149 insertions, 3 deletions
diff --git a/files/etc/auto_master.common b/files/etc/auto_master.common
new file mode 100644
index 0000000..37f3e34
--- /dev/null
+++ b/files/etc/auto_master.common
@@ -0,0 +1,2 @@
+/net -hosts -nobrowse,nosuid,intr
++auto_master
diff --git a/files/etc/cron.d/freeradius.radius_server b/files/etc/cron.d/freeradius.radius_server
new file mode 100644
index 0000000..20f3ada
--- /dev/null
+++ b/files/etc/cron.d/freeradius.radius_server
@@ -0,0 +1,2 @@
+MAILTO=root
+@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -vf {} +
diff --git a/files/etc/cron.d/invidious.invidious_server b/files/etc/cron.d/invidious.invidious_server
new file mode 100644
index 0000000..89fa336
--- /dev/null
+++ b/files/etc/cron.d/invidious.invidious_server
@@ -0,0 +1,2 @@
+MAILTO=root
+0 3 * * * root /usr/local/libexec/invidious-update -q ${invidious_local_username} ${invidious_repo_dir}
diff --git a/files/etc/dma/dma.conf.freebsd b/files/etc/dma/dma.conf.freebsd
index ff8aae0..6975ed1 100644
--- a/files/etc/dma/dma.conf.freebsd
+++ b/files/etc/dma/dma.conf.freebsd
@@ -2,4 +2,3 @@ SMARTHOST ${smtp_host}
 SECURETRANSFER
 STARTTLS
 OPPORTUNISTIC_TLS
-MAILNAME ${email_domain}
diff --git a/files/etc/exports.common b/files/etc/exports.common
new file mode 100644
index 0000000..4ea7fd2
--- /dev/null
+++ b/files/etc/exports.common
@@ -0,0 +1,2 @@
+V4: ${nfs_root}
+# The default is to not export anything.
diff --git a/files/etc/login.conf.desktop b/files/etc/login.conf.desktop
new file mode 100644
index 0000000..558c80a
--- /dev/null
+++ b/files/etc/login.conf.desktop
@@ -0,0 +1,64 @@
+default:\\
+	:passwd_format=sha512:\\
+	:copyright=/etc/COPYRIGHT:\\
+	:welcome=/var/run/motd:\\
+	:setenv=BLOCKSIZE=K,XDG_DATA_DIRS=/usr/local/override\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\
+	:mail=/var/mail/\$:\\
+	:path=/sbin /bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin ~/bin:\\
+	:nologin=/var/run/nologin:\\
+	:cputime=unlimited:\\
+	:datasize=unlimited:\\
+	:stacksize=unlimited:\\
+	:memorylocked=64M:\\
+	:memoryuse=unlimited:\\
+	:filesize=unlimited:\\
+	:coredumpsize=unlimited:\\
+	:openfiles=unlimited:\\
+	:maxproc=unlimited:\\
+	:sbsize=unlimited:\\
+	:vmemoryuse=unlimited:\\
+	:swapuse=unlimited:\\
+	:pseudoterminals=unlimited:\\
+	:kqueues=unlimited:\\
+	:umtxp=unlimited:\\
+	:priority=0:\\
+	:ignoretime@:\\
+	:umask=022:\\
+	:charset=UTF-8:\\
+	:lang=${locale}:
+
+#
+# A collection of common class names - forward them all to 'default'
+# (login would normally do this anyway, but having a class name
+#  here suppresses the diagnostic)
+#
+standard:\\
+	:tc=default:
+xuser:\\
+	:tc=default:
+staff:\\
+	:tc=default:
+
+# This PATH may be clobbered by individual applications.  Notably, by default,
+# rc(8), service(8), and cron(8) will all override it with a default PATH that
+# may not include /usr/local/sbin and /usr/local/bin when starting services or
+# jobs.
+daemon:\\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\\
+	:mail@:\\
+	:memorylocked=128M:\\
+	:tc=default:
+news:\\
+	:tc=default:
+dialer:\\
+	:tc=default:
+
+#
+# Root can always login
+#
+# N.B.  login_getpwclass(3) will use this entry for the root account,
+#       in preference to 'default'.
+root:\\
+	:ignorenologin:\\
+	:memorylocked=unlimited:\\
+	:tc=default:
diff --git a/files/etc/login.conf.laptop b/files/etc/login.conf.laptop
new file mode 120000
index 0000000..2dde3a4
--- /dev/null
+++ b/files/etc/login.conf.laptop
@@ -0,0 +1 @@
+login.conf.desktop
+\ No newline at end of file
diff --git a/files/etc/login.conf.roadwarrior_laptop b/files/etc/login.conf.roadwarrior_laptop
new file mode 120000
index 0000000..2dde3a4
--- /dev/null
+++ b/files/etc/login.conf.roadwarrior_laptop
@@ -0,0 +1 @@
+login.conf.desktop
+\ No newline at end of file
diff --git a/files/etc/pam.d/cups.cups_server b/files/etc/pam.d/cups.cups_server
new file mode 100644
index 0000000..b61c074
--- /dev/null
+++ b/files/etc/pam.d/cups.cups_server
@@ -0,0 +1,8 @@
+# auth
+auth    sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth    required    pam_unix.so no_warn try_first_pass
+
+# account
+account   required  /usr/local/lib/security/pam_krb5.so
+account   required  pam_login_access.so
+account   required  pam_unix.so
diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd
new file mode 100644
index 0000000..2604c78
--- /dev/null
+++ b/files/etc/pam.d/kde.freebsd
@@ -0,0 +1,2 @@
+auth     required    /usr/local/lib/security/pam_krb5.so try_first_pass
+account  required    /usr/local/lib/security/pam_krb5.so
diff --git a/files/etc/pam.d/postgresql.postgresql_server b/files/etc/pam.d/postgresql.postgresql_server
deleted file mode 100644
index 8475a53..0000000
--- a/files/etc/pam.d/postgresql.postgresql_server
+++ /dev/null
@@ -1,2 +0,0 @@
-auth  required  /usr/local/lib/security/pam_krb5.so try_first_pass keytab=${postgres_keytab} no_ccache ignore_k5login no_update_user minimum_uid=0
-account required pam_permit.so
diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd
new file mode 100644
index 0000000..ef359ff
--- /dev/null
+++ b/files/etc/pam.d/sddm.freebsd
@@ -0,0 +1,16 @@
+# NB: FreeBSD has no pam_stack.so or substack functionality, so we can't
+# try multiple authentication sources (like krb5 but fall back to pam_unix)
+# if we want pam_kwallet5 to execute.
+# Hence, for sddm, we try krb5 only (no local accounts).
+auth      required  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth      optional  pam_exec.so /usr/local/libexec/pam-create-local-homedir
+auth      optional  pam_kwallet5.so
+
+account   required  /usr/local/lib/security/pam_krb5.so
+account   required  pam_login_access.so
+account   required  pam_unix.so
+
+session   required  pam_lastlog.so no_fail
+session   optional  pam_kwallet5.so auto_start
+
+password  required  /usr/local/lib/security/pam_krb5.so try_first_pass
diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd
new file mode 100644
index 0000000..425bf4e
--- /dev/null
+++ b/files/etc/pam.d/sudo.freebsd
@@ -0,0 +1,15 @@
+# auth
+auth    sufficient    /usr/local/lib/security/pam_krb5.so try_first_pass
+auth    required      pam_unix.so no_warn try_first_pass
+
+# account
+account   required    /usr/local/lib/security/pam_krb5.so
+account   required    pam_login_access.so
+account   required    pam_unix.so
+
+# session
+account   required    pam_permit.so
+
+# password
+password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/profile.d/kde.sh.common b/files/etc/profile.d/kde.sh.common
new file mode 100644
index 0000000..010d5c1
--- /dev/null
+++ b/files/etc/profile.d/kde.sh.common
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$XDG_CURRENT_DESKTOP" = KDE ]; then
+  export SSH_ASKPASS_REQUIRE=prefer
+  export SSH_ASKPASS=/usr/local/bin/ksshaskpass
+fi
diff --git a/files/etc/profile.d/local-homedir.sh.common b/files/etc/profile.d/local-homedir.sh.common
new file mode 100644
index 0000000..d5abb90
--- /dev/null
+++ b/files/etc/profile.d/local-homedir.sh.common
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# This file contains various environment variables and hacks to accomodate
+# applications that don't play well with NFS-mounted home directories.
+
+if [ "$(id -u)" -lt 1000 ]; then
+  return 0
+fi
+
+LOCAL_HOME="/usr/local/home/${USER}"
+
+export PYTHONUSERBASE="${LOCAL_HOME}/.local"
+export npm_config_cache="${LOCAL_HOME}/.npm"
+export CARGO_HOME="${LOCAL_HOME}/.cargo"
+export GOPATH="${LOCAL_HOME}/go"
+
+# firefox
+mkdir -p "${LOCAL_HOME}/.mozilla"
+ln -sfn "${LOCAL_HOME}/.mozilla" "${HOME}/.mozilla"
+
+# kwallet
+# The kwallet PAM module hard-codes ~/.local/share/kwalletd, but kwallet itself
+# honors XDG_DATA_HOME! So we symlink from the local disk back into NFS. Gross!
+mkdir -p "${LOCAL_HOME}/.local/share/kwalletd"
+ln -sfn "${HOME}/.local/share/kwalletd/kwallet.salt" "${LOCAL_HOME}/.local/share/kwalletd/kdewallet.salt"
diff --git a/files/etc/syslog.conf.freebsd b/files/etc/syslog.conf.freebsd
index dda6710..021836e 100644
--- a/files/etc/syslog.conf.freebsd
+++ b/files/etc/syslog.conf.freebsd
@@ -1,4 +1,5 @@
 *.err;kern.warning;auth.notice;mail.crit		/dev/console
+!-devd
 *.info;authpriv.none;auth.none;cron.none;kern.debug;mail.crit;news.err	/var/log/messages
 security.*					/var/log/security
 auth.info;authpriv.info				/var/log/auth.log
@@ -7,6 +8,8 @@ cron.*						/var/log/cron
 !-devd
 *.=debug					/var/log/debug.log
 *.emerg						*
+!devd
+*.>=info          /var/log/devd.log
 !*
 include						/etc/syslog.d
 include						/usr/local/etc/syslog.d
author	Cullum Smith <cullum@sacredheartsc.com>	2024-10-15 23:35:53 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-10-15 23:35:53 -0400
commit	145668c3dd67c5271eddcb62d1e7843487d768a7 (patch)
tree	4c7d563e9d320e6b122ee3dbf048d93eee6776c3 /files/etc
parent	b2af400a1098ebf445575d169e11a6717867045f (diff)
download	infrastructure-145668c3dd67c5271eddcb62d1e7843487d768a7.tar.gz