initial commit of hypervisor configs

16 files changed, 227 insertions, 0 deletions

diff --git a/files/etc/aliases.freebsd b/files/etc/aliases.freebsd
new file mode 100644
index 0000000..b0aeb2d
--- /dev/null
+++ b/files/etc/aliases.freebsd
@@ -0,0 +1,38 @@
+# All local mail should end up forwarded to this address:
+root: ${root_mail_alias}
+
+# Basic system aliases -- these MUST be present
+MAILER-DAEMON: postmaster
+postmaster: root
+
+_dhcp: root
+_pflogd: root
+auditdistd: root
+bin: root
+bind: root
+daemon: root
+games: root
+hast: root
+kmem: root
+mailnull: postmaster
+man: root
+news: root
+nobody: root
+operator: root
+pop: root
+proxy: root
+smmsp: postmaster
+sshd: root
+system: root
+toor: root
+tty: root
+usenet: news
+uucp: root
+manager: root
+dumper:root
+
+# NETWORK OPERATIONS MAILBOX NAMES
+abuse: root
+security: root
+ftp: root
+ftp-bugs: ftp
diff --git a/files/etc/cron.d/zfs-trim.freebsd b/files/etc/cron.d/zfs-trim.freebsd
new file mode 100644
index 0000000..64b07b9
--- /dev/null
+++ b/files/etc/cron.d/zfs-trim.freebsd
@@ -0,0 +1,3 @@
+SHELL=/bin/sh
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+@weekly root zfs list -Ho name | xargs -r -n1 zpool trim
diff --git a/files/etc/devfs.rules.freebsd_hypervisor b/files/etc/devfs.rules.freebsd_hypervisor
new file mode 100644
index 0000000..fe40b9c
--- /dev/null
+++ b/files/etc/devfs.rules.freebsd_hypervisor
@@ -0,0 +1,4 @@
+# Allow jails to access bpf device for DHCP.
+[devfsrules_jail_vnet_bpf=${hypervisor_jail_bpf_ruleset}]
+add include \$devfsrules_jail_vnet
+add path 'bpf*' unhide
diff --git a/files/etc/dma/dma.conf.freebsd b/files/etc/dma/dma.conf.freebsd
new file mode 100644
index 0000000..ff8aae0
--- /dev/null
+++ b/files/etc/dma/dma.conf.freebsd
@@ -0,0 +1,5 @@
+SMARTHOST ${smtp_host}
+SECURETRANSFER
+STARTTLS
+OPPORTUNISTIC_TLS
+MAILNAME ${email_domain}
diff --git a/files/etc/hosts.freebsd b/files/etc/hosts.freebsd
new file mode 100644
index 0000000..5551ff0
--- /dev/null
+++ b/files/etc/hosts.freebsd
@@ -0,0 +1,4 @@
+::1        localhost  localhost.${domain}
+127.0.0.1  localhost  localhost.${domain}
+
+${BOXCONF_DEFAULT_IPV4}  ${BOXCONF_HOSTNAME}.${domain}  ${BOXCONF_HOSTNAME}
diff --git a/files/etc/login.conf.freebsd b/files/etc/login.conf.freebsd
new file mode 100644
index 0000000..b7def42
--- /dev/null
+++ b/files/etc/login.conf.freebsd
@@ -0,0 +1,64 @@
+default:\\
+	:passwd_format=sha512:\\
+	:copyright=/etc/COPYRIGHT:\\
+	:welcome=/var/run/motd:\\
+	:setenv=BLOCKSIZE=K:\\
+	:mail=/var/mail/$:\\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\\
+	:nologin=/var/run/nologin:\\
+	:cputime=unlimited:\\
+	:datasize=unlimited:\\
+	:stacksize=unlimited:\\
+	:memorylocked=64M:\\
+	:memoryuse=unlimited:\\
+	:filesize=unlimited:\\
+	:coredumpsize=unlimited:\\
+	:openfiles=unlimited:\\
+	:maxproc=unlimited:\\
+	:sbsize=unlimited:\\
+	:vmemoryuse=unlimited:\\
+	:swapuse=unlimited:\\
+	:pseudoterminals=unlimited:\\
+	:kqueues=unlimited:\\
+	:umtxp=unlimited:\\
+	:priority=0:\\
+	:ignoretime@:\\
+	:umask=022:\\
+	:charset=UTF-8:\\
+	:lang=${locale}:
+
+#
+# A collection of common class names - forward them all to 'default'
+# (login would normally do this anyway, but having a class name
+#  here suppresses the diagnostic)
+#
+standard:\\
+	:tc=default:
+xuser:\\
+	:tc=default:
+staff:\\
+	:tc=default:
+
+# This PATH may be clobbered by individual applications.  Notably, by default,
+# rc(8), service(8), and cron(8) will all override it with a default PATH that
+# may not include /usr/local/sbin and /usr/local/bin when starting services or
+# jobs.
+daemon:\\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\\
+	:mail@:\\
+	:memorylocked=128M:\\
+	:tc=default:
+news:\\
+	:tc=default:
+dialer:\\
+	:tc=default:
+
+#
+# Root can always login
+#
+# N.B.  login_getpwclass(3) will use this entry for the root account,
+#       in preference to 'default'.
+root:\\
+	:ignorenologin:\\
+	:memorylocked=unlimited:\\
+	:tc=default:
diff --git a/files/etc/ntp.conf.freebsd b/files/etc/ntp.conf.freebsd
new file mode 100644
index 0000000..d4b1a03
--- /dev/null
+++ b/files/etc/ntp.conf.freebsd
@@ -0,0 +1,18 @@
+interface ignore wildcard
+interface listen ${BOXCONF_DEFAULT_IPV4}
+
+tos minclock 3 maxclock 6
+
+$(if [ -n "${ntp_servers:-}" ]; then
+   printf 'server %s iburst\n' $ntp_servers
+  elif [ -n "${ntp_pools:-}" ]; then
+    printf 'pool %s iburst\n' $ntp_pools
+  fi)
+
+restrict default limited kod nomodify notrap noquery nopeer
+restrict source  limited kod nomodify notrap noquery
+
+restrict 127.0.0.1
+restrict ::1
+
+leapfile "/var/db/ntpd.leap-seconds.list"
diff --git a/files/etc/pf.conf.freebsd b/files/etc/pf.conf.freebsd
new file mode 100644
index 0000000..633f3ef
--- /dev/null
+++ b/files/etc/pf.conf.freebsd
@@ -0,0 +1,37 @@
+egress = "${BOXCONF_DEFAULT_INTERFACE}"
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = ${acme_uid}
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port')
diff --git a/files/etc/profile.d/locale.sh.freebsd b/files/etc/profile.d/locale.sh.freebsd
new file mode 100644
index 0000000..093e6d1
--- /dev/null
+++ b/files/etc/profile.d/locale.sh.freebsd
@@ -0,0 +1,2 @@
+export LANG=${locale}
+export CHARSET=UTF-8
diff --git a/files/etc/resolv.conf.common b/files/etc/resolv.conf.common
new file mode 100644
index 0000000..24c2044
--- /dev/null
+++ b/files/etc/resolv.conf.common
@@ -0,0 +1,3 @@
+$(printf 'nameserver %s\n' $resolvers)
+domain ${domain}
+options timeout:1
diff --git a/files/etc/ssh/ssh_config.freebsd_hypervisor b/files/etc/ssh/ssh_config.freebsd_hypervisor
new file mode 120000
index 0000000..338cdba
--- /dev/null
+++ b/files/etc/ssh/ssh_config.freebsd_hypervisor
@@ -0,0 +1 @@
+ssh_config.no_idm
\ No newline at end of file
diff --git a/files/etc/ssh/ssh_config.no_idm b/files/etc/ssh/ssh_config.no_idm
new file mode 100644
index 0000000..97f3ba8
--- /dev/null
+++ b/files/etc/ssh/ssh_config.no_idm
@@ -0,0 +1 @@
+# Intentionally empty.
diff --git a/files/etc/ssh/sshd_config.freebsd_hypervisor b/files/etc/ssh/sshd_config.freebsd_hypervisor
new file mode 120000
index 0000000..355377d
--- /dev/null
+++ b/files/etc/ssh/sshd_config.freebsd_hypervisor
@@ -0,0 +1 @@
+sshd_config.no_idm
\ No newline at end of file
diff --git a/files/etc/ssh/sshd_config.no_idm b/files/etc/ssh/sshd_config.no_idm
new file mode 100644
index 0000000..f38720c
--- /dev/null
+++ b/files/etc/ssh/sshd_config.no_idm
@@ -0,0 +1,10 @@
+PermitRootLogin prohibit-password
+AuthorizedKeysFile	.ssh/authorized_keys
+
+KbdInteractiveAuthentication no
+PasswordAuthentication yes
+
+UsePAM yes
+UseDNS no
+
+Subsystem	sftp	/usr/libexec/sftp-server
diff --git a/files/etc/syslog.conf.freebsd b/files/etc/syslog.conf.freebsd
new file mode 100644
index 0000000..dda6710
--- /dev/null
+++ b/files/etc/syslog.conf.freebsd
@@ -0,0 +1,12 @@
+*.err;kern.warning;auth.notice;mail.crit		/dev/console
+*.info;authpriv.none;auth.none;cron.none;kern.debug;mail.crit;news.err	/var/log/messages
+security.*					/var/log/security
+auth.info;authpriv.info				/var/log/auth.log
+mail.info					/var/log/maillog
+cron.*						/var/log/cron
+!-devd
+*.=debug					/var/log/debug.log
+*.emerg						*
+!*
+include						/etc/syslog.d
+include						/usr/local/etc/syslog.d
diff --git a/files/etc/ttys.freebsd b/files/etc/ttys.freebsd
new file mode 100644
index 0000000..3ebdfe3
--- /dev/null
+++ b/files/etc/ttys.freebsd
@@ -0,0 +1,24 @@
+console	none				unknown	off insecure
+#
+ttyv0	"/usr/libexec/getty Pc"		xterm	onifexists secure
+# Virtual terminals
+ttyv1	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv2	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv3	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv4	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv5	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv6	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv7	"/usr/libexec/getty Pc"		xterm	onifexists secure
+ttyv8	"/usr/local/bin/xdm -nodaemon"	xterm	off secure
+# Serial terminals
+# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
+ttyu0	"/usr/libexec/getty 3wire.115200"	vt100	onifexists secure
+ttyu1	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu2	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu3	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+# Dumb console
+dcons	"/usr/libexec/getty std.9600"	vt100	off secure
+# Xen Virtual console
+xc0	"/usr/libexec/getty Pc"		xterm	onifconsole secure
+# RISC-V HTIF console
+rcons	"/usr/libexec/getty std.9600"	vt100	onifconsole secure