zfs autosnapshots, syncthing, pam cleanup

4 files changed, 258 insertions, 0 deletions

diff --git a/files/usr/local/etc/nginx/vhosts.conf.nfs_server b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
new file mode 100644
index 0000000..e6fa55b
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
@@ -0,0 +1,38 @@
+$(for user in ${syncthing_users:-}; do cat <<EOF
+upstream syncthing_${user} {
+  server unix:///var/run/syncthing/${user}/syncthing.sock;
+}
+
+EOF
+done)
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${syncthing_https_cert};
+  ssl_certificate_key  ${syncthing_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${nginx_keytab};
+  auth_gss_allow_basic_fallback off;
+
+$(for user in ${syncthing_users:-}; do cat <<EOF
+  location /${user}/ {
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_read_timeout 600s;
+    proxy_send_timeout 600s;
+    proxy_pass http://syncthing_${user}/;
+    auth_gss on;
+    auth_gss_authorized_principal ${user};
+  }
+EOF
+done)
+}
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 883a88d..7d2a7ab 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -88,6 +88,7 @@ net/php${php_version}-ldap
 net/php${php_version}-sockets
 net/py-python-ldap
 net/rsync
+net/syncthing
 net/turnserver
 net/wireguard-tools
 ports-mgmt/poudriere
@@ -102,6 +103,7 @@ security/kstart
 security/openssh-portable
 security/pam_krb5@mit
 security/pam_mkhomedir
+security/pam_mkhomedir
 security/php${php_version}-filter
 security/py-omemo-dr
 security/sshpass
@@ -120,6 +122,7 @@ sysutils/pwgen
 sysutils/stow
 sysutils/tmux
 sysutils/tree
+sysutils/zfstools
 textproc/hs-pandoc
 textproc/jq
 textproc/p5-YAML
diff --git a/files/usr/local/etc/rc.d/syncthing_user.nfs_server b/files/usr/local/etc/rc.d/syncthing_user.nfs_server
new file mode 100644
index 0000000..0229047
--- /dev/null
+++ b/files/usr/local/etc/rc.d/syncthing_user.nfs_server
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+# PROVIDE: syncthing_user
+# REQUIRE: DAEMON nslcd
+# KEYWORD: shutdown
+#
+# syncthing_user_enable=YES
+# syncthing_user_instances="bob joe"
+# syncthing_user_bob_port="22000"
+# syncthing_user_joe_port="22001"
+
+. /etc/rc.subr
+
+name=syncthing_user
+rcvar=syncthing_user_enable
+
+load_rc_config $name
+
+: ${syncthing_user_enable:='NO'}
+: ${syncthing_user_socket_group:='www'}
+
+syncthing_user_rundir=/var/run/syncthing
+syncthing_user_confdir=/var/db/syncthing
+syncthing_user_args='serve --no-browser --no-upgrade --no-default-folder --logflags=0 --logfile=-'
+syncthing_config_template=/usr/local/etc/syncthing.template.xml
+
+procname="/usr/local/bin/syncthing"
+command="/usr/sbin/daemon"
+start_precmd=syncthing_user_startprecmd
+required_files="${syncthing_config_template}"
+
+syncthing_user_startprecmd()
+{
+  [ -d "$syncthing_user_rundir"   ] || install -d -m 0755 "$syncthing_user_rundir"
+  [ -d "$syncthing_user_irundir"  ] || install -d -m 2750 -o "$syncthing_user_user" -g "$syncthing_user_socket_group" "$syncthing_user_irundir"
+  [ -d "$syncthing_user_iconfdir" ] || install -d -m 0750 -o "$syncthing_user_user" -g "$syncthing_user_user"         "$syncthing_user_iconfdir"
+
+  if [ ! -f "${syncthing_user_iconfdir}/config.xml" ]; then
+    su -m "$syncthing_user_user" -c "${procname} generate --home=${syncthing_user_iconfdir}"
+
+    deviceid=$("$procname" serve --home="$syncthing_user_iconfdir" --device-id)
+    fqdn=$(hostname -f)
+    sed -E \
+      -e "s|__DEVICEID__|${deviceid}|" \
+      -e "s|__PORT__|${syncthing_user_port}|" \
+      -e "s|__FQDN__|${fqdn}|" \
+      -e "s|__SOCK__|${syncthing_user_irundir}/syncthing.sock|" \
+      "$syncthing_config_template" > "${syncthing_user_iconfdir}/config.xml"
+  fi
+}
+
+if [ -n "$syncthing_user_instances" ]; then
+  _1=$1
+  if [ $# -gt 1 ]; then
+    shift
+    syncthing_user_instances=$*
+  fi
+
+  rc=0
+  for syncthing_user_user in $syncthing_user_instances; do
+    syncthing_user_group=$syncthing_user_user
+    syncthing_user_iconfdir="${syncthing_user_confdir}/${syncthing_user_user}"
+    syncthing_user_irundir="${syncthing_user_rundir}/${syncthing_user_user}"
+    unset syncthing_user_port
+    eval "syncthing_user_port=\$syncthing_user_${syncthing_user_user}_port"
+
+    if [ -z "${syncthing_user_port:-}" ]; then
+      echo "syncthing_user_${syncthing_user_user}_port not defined in /etc/rc.conf - skipping" 1>&2
+      continue
+    fi
+
+    pidfile="${syncthing_user_rundir}/${syncthing_user_user}/syncthing.pid"
+    command_args="-cf -s info -l daemon -T syncthing-${syncthing_user_user} -p ${pidfile} -t syncthing-${syncthing_user_user} \
+      ${procname} ${syncthing_user_args} --home=${syncthing_user_iconfdir} --gui-address=unix://${syncthing_user_irundir}/syncthing.sock"
+
+    run_rc_command "$_1"
+    if [ $? -ne 0 ]; then rc=1; fi
+
+    unset _pidcmd _rc_restart_done
+  done
+
+  exit $rc
+else
+  echo 'No users defined. Set syncthing_user_instances in /etc/rc.conf.' 1>&2
+  exit 1
+fi
diff --git a/files/usr/local/etc/syncthing.template.xml.nfs_server b/files/usr/local/etc/syncthing.template.xml.nfs_server
new file mode 100644
index 0000000..3ee90a1
--- /dev/null
+++ b/files/usr/local/etc/syncthing.template.xml.nfs_server
@@ -0,0 +1,131 @@
+<configuration version="37">
+    <device id="__DEVICEID__" name="__FQDN__" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>tcp://__FQDN__:__PORT__</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+        <numConnections>0</numConnections>
+    </device>
+    <gui enabled="true" tls="false" debugging="false" sendBasicAuthPrompt="false">
+        <address>unix://__SOCK__</address>
+        <unixSocketPermissions>770</unixSocketPermissions>
+        <theme>default</theme>
+        <insecureSkipHostcheck>true</insecureSkipHostcheck>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>quic://0.0.0.0:__PORT__</listenAddress>
+        <listenAddress>tcp://0.0.0.0:__PORT__</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>false</globalAnnounceEnabled>
+        <localAnnounceEnabled>false</localAnnounceEnabled>
+        <localAnnouncePort>0</localAnnouncePort>
+        <localAnnounceMCAddr>[ff12::8384]:0</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>false</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>false</startBrowser>
+        <natEnabled>false</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>-1</urAccepted>
+        <urSeen>0</urSeen>
+        <urUniqueID></urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <autoUpgradeIntervalH>0</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>false</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>false</crashReportingEnabled>
+        <stunKeepaliveStartS>0</stunKeepaliveStartS>
+        <stunKeepaliveMinS>0</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+        <connectionPriorityTcpLan>10</connectionPriorityTcpLan>
+        <connectionPriorityQuicLan>20</connectionPriorityQuicLan>
+        <connectionPriorityTcpWan>30</connectionPriorityTcpWan>
+        <connectionPriorityQuicWan>40</connectionPriorityQuicWan>
+        <connectionPriorityRelay>50</connectionPriorityRelay>
+        <connectionPriorityUpgradeThreshold>0</connectionPriorityUpgradeThreshold>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="__DEVICEID__" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+            <syncOwnership>false</syncOwnership>
+            <sendOwnership>false</sendOwnership>
+            <syncXattrs>false</syncXattrs>
+            <sendXattrs>false</sendXattrs>
+            <xattrFilter>
+                <maxSingleEntrySize>1024</maxSingleEntrySize>
+                <maxTotalSize>4096</maxTotalSize>
+            </xattrFilter>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+            <numConnections>0</numConnections>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>