zfs autosnapshots, syncthing, pam cleanup

author: Cullum Smith <cullum@sacredheartsc.com> 2024-10-22 22:01:49 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-10-22 22:01:49 -0400
commit: f9301e0fe52313581920026a186955c78fcbe831 (patch)
tree: 9a9d8ea8df1bbf2e5d1253d2398ad469acd96b12 /files/etc
parent: 39358af4e65a0bcd193797ac5003b0adc9b4225b (diff)
download: infrastructure-f9301e0fe52313581920026a186955c78fcbe831.tar.gz
12 files changed, 105 insertions, 7 deletions
diff --git a/files/etc/cron.d/zfs-autosnapshot.freebsd b/files/etc/cron.d/zfs-autosnapshot.freebsd
new file mode 100644
index 0000000..0cc1e3b
--- /dev/null
+++ b/files/etc/cron.d/zfs-autosnapshot.freebsd
@@ -0,0 +1,5 @@
+15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent  4
+0        * * * * root /usr/local/sbin/zfs-auto-snapshot hourly   24
+7        0 * * * root /usr/local/sbin/zfs-auto-snapshot daily     7
+14       0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly    4
+28       0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly  12
diff --git a/files/etc/cron.d/zfs-trim.freebsd b/files/etc/cron.d/zfs.freebsd
index 80e0cd5..477f1df 100644
--- a/files/etc/cron.d/zfs-trim.freebsd
+++ b/files/etc/cron.d/zfs.freebsd
@@ -1 +1,2 @@
 @weekly root zpool list -Ho name | xargs -r -n1 zpool trim
+@monthly root zpool list -Ho name | xargs -r zpool scrub
diff --git a/files/etc/login.access.freebsd b/files/etc/login.access.freebsd
new file mode 100644
index 0000000..e6667db
--- /dev/null
+++ b/files/etc/login.access.freebsd
@@ -0,0 +1,13 @@
+# Always allow root logins.
++:root:ALL
+
+$(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then
+  printf -- '-:ALL EXCEPT '
+if [ -n "${login_access_groups:-}" ]; then
+  printf    '(%s) ' ${login_access_groups}
+fi
+if [ -n "${login_access_users:-}" ]; then
+  printf    '%s ' ${login_access_users}
+fi
+  printf    ':ALL\n'
+fi)
diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd
index 8f87b98..cb89294 100644
--- a/files/etc/pam.d/kde.freebsd
+++ b/files/etc/pam.d/kde.freebsd
@@ -1,5 +1,5 @@
 auth      required    /usr/local/lib/security/pam_krb5.so try_first_pass
 
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd
index 164fcb0..ae50bbe 100644
--- a/files/etc/pam.d/login.freebsd
+++ b/files/etc/pam.d/login.freebsd
@@ -5,12 +5,13 @@ auth      required    pam_unix.so   no_warn try_first_pass nullok
 account   requisite   pam_securetty.so
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    pam_lastlog.so    no_fail
 session   required    pam_xdg.so
 session   required    /usr/local/lib/security/pam_krb5.so
+session   optional    /usr/local/lib/pam_mkhomedir.so mode=0700
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/other.freebsd b/files/etc/pam.d/other.freebsd
new file mode 100644
index 0000000..38db8c5
--- /dev/null
+++ b/files/etc/pam.d/other.freebsd
@@ -0,0 +1,8 @@
+auth      required  pam_unix.so no_warn try_first_pass
+
+account   required  pam_nologin.so
+account   required  pam_unix.so
+
+session   required  pam_permit.so
+
+password  required  pam_permit.so
diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd
index 6a75823..c222750 100644
--- a/files/etc/pam.d/sddm.freebsd
+++ b/files/etc/pam.d/sddm.freebsd
@@ -10,12 +10,13 @@ auth      optional    pam_kwallet5.so
 account   requisite   pam_securetty.so
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    pam_lastlog.so no_fail
 session   required    pam_xdg.so no_fail
 session   required    /usr/local/lib/security/pam_krb5.so
+session   optional    /usr/local/lib/pam_mkhomedir.so mode=0700
 session   optional    pam_kwallet5.so auto_start
 
 password  required    /usr/local/lib/security/pam_krb5.so try_first_pass
diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd
index 559a980..1f81b48 100644
--- a/files/etc/pam.d/sshd.freebsd
+++ b/files/etc/pam.d/sshd.freebsd
@@ -3,11 +3,11 @@ auth      required    pam_unix.so no_warn try_first_pass
 
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    /usr/local/lib/security/pam_krb5.so
-session   required    pam_permit.so
+session   required    /usr/local/lib/pam_mkhomedir.so mode=0700
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/su.freebsd b/files/etc/pam.d/su.freebsd
new file mode 100644
index 0000000..0bd3ea0
--- /dev/null
+++ b/files/etc/pam.d/su.freebsd
@@ -0,0 +1,10 @@
+auth     sufficient  pam_rootok.so no_warn
+auth     sufficient  pam_self.so no_warn
+auth     requisite   pam_group.so no_warn group=wheel root_only fail_safe ruser
+auth     sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth     required    pam_unix.so no_warn try_first_pass nullok
+
+account  required    /usr/local/lib/security/pam_krb5.so
+account  required    pam_unix.so
+
+session  required    pam_permit.so
diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd
index 6a6b0a4..6c0a573 100644
--- a/files/etc/pam.d/sudo.freebsd
+++ b/files/etc/pam.d/sudo.freebsd
@@ -2,10 +2,9 @@ auth      sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 auth      required    pam_unix.so no_warn try_first_pass
 
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
 account   required    pam_unix.so
 
-account   required    pam_permit.so
+session   required    pam_permit.so
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/system.freebsd b/files/etc/pam.d/system.freebsd
new file mode 100644
index 0000000..b85310c
--- /dev/null
+++ b/files/etc/pam.d/system.freebsd
@@ -0,0 +1,8 @@
+auth      required  pam_unix.so no_warn try_first_pass nullok
+
+account   required  pam_unix.so
+
+session   required  pam_lastlog.so no_fail
+session   required  pam_xdg.so
+
+password  required  pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pf.conf.nfs_server b/files/etc/pf.conf.nfs_server
new file mode 100644
index 0000000..628ed7c
--- /dev/null
+++ b/files/etc/pf.conf.nfs_server
@@ -0,0 +1,52 @@
+$(if [ -n "${pf_egress_interfaces:-}" ]; then
+    printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)"
+  else
+    printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE"
+  fi)
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+
+$([ "${acme_standalone:-}" = true ] && cat <<EOF
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = $(id -u "$acme_user")
+EOF
+)
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+$([ -n "${pf_skip_interfaces:-}" ] && printf \
+  'set skip on %s\n' $pf_skip_interfaces)
+
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port'
+
+for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \
+  'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")"
+done)
author	Cullum Smith <cullum@sacredheartsc.com>	2024-10-22 22:01:49 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-10-22 22:01:49 -0400
commit	f9301e0fe52313581920026a186955c78fcbe831 (patch)
tree	9a9d8ea8df1bbf2e5d1253d2398ad469acd96b12 /files/etc
parent	39358af4e65a0bcd193797ac5003b0adc9b4225b (diff)
download	infrastructure-f9301e0fe52313581920026a186955c78fcbe831.tar.gz