huge amount of fixes

36 files changed, 625 insertions, 14 deletions

diff --git a/files/etc/auto_master.common b/files/etc/auto_master.common
new file mode 100644
index 0000000..37f3e34
--- /dev/null
+++ b/files/etc/auto_master.common
@@ -0,0 +1,2 @@
+/net -hosts -nobrowse,nosuid,intr
++auto_master
diff --git a/files/etc/cron.d/freeradius.radius_server b/files/etc/cron.d/freeradius.radius_server
new file mode 100644
index 0000000..20f3ada
--- /dev/null
+++ b/files/etc/cron.d/freeradius.radius_server
@@ -0,0 +1,2 @@
+MAILTO=root
+@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -vf {} +
diff --git a/files/etc/cron.d/invidious.invidious_server b/files/etc/cron.d/invidious.invidious_server
new file mode 100644
index 0000000..89fa336
--- /dev/null
+++ b/files/etc/cron.d/invidious.invidious_server
@@ -0,0 +1,2 @@
+MAILTO=root
+0 3 * * * root /usr/local/libexec/invidious-update -q ${invidious_local_username} ${invidious_repo_dir}
diff --git a/files/etc/dma/dma.conf.freebsd b/files/etc/dma/dma.conf.freebsd
index ff8aae0..6975ed1 100644
--- a/files/etc/dma/dma.conf.freebsd
+++ b/files/etc/dma/dma.conf.freebsd
@@ -2,4 +2,3 @@ SMARTHOST ${smtp_host}
 SECURETRANSFER
 STARTTLS
 OPPORTUNISTIC_TLS
-MAILNAME ${email_domain}
diff --git a/files/etc/exports.common b/files/etc/exports.common
new file mode 100644
index 0000000..4ea7fd2
--- /dev/null
+++ b/files/etc/exports.common
@@ -0,0 +1,2 @@
+V4: ${nfs_root}
+# The default is to not export anything.
diff --git a/files/etc/login.conf.desktop b/files/etc/login.conf.desktop
new file mode 100644
index 0000000..558c80a
--- /dev/null
+++ b/files/etc/login.conf.desktop
@@ -0,0 +1,64 @@
+default:\\
+	:passwd_format=sha512:\\
+	:copyright=/etc/COPYRIGHT:\\
+	:welcome=/var/run/motd:\\
+	:setenv=BLOCKSIZE=K,XDG_DATA_DIRS=/usr/local/override\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\
+	:mail=/var/mail/\$:\\
+	:path=/sbin /bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin ~/bin:\\
+	:nologin=/var/run/nologin:\\
+	:cputime=unlimited:\\
+	:datasize=unlimited:\\
+	:stacksize=unlimited:\\
+	:memorylocked=64M:\\
+	:memoryuse=unlimited:\\
+	:filesize=unlimited:\\
+	:coredumpsize=unlimited:\\
+	:openfiles=unlimited:\\
+	:maxproc=unlimited:\\
+	:sbsize=unlimited:\\
+	:vmemoryuse=unlimited:\\
+	:swapuse=unlimited:\\
+	:pseudoterminals=unlimited:\\
+	:kqueues=unlimited:\\
+	:umtxp=unlimited:\\
+	:priority=0:\\
+	:ignoretime@:\\
+	:umask=022:\\
+	:charset=UTF-8:\\
+	:lang=${locale}:
+
+#
+# A collection of common class names - forward them all to 'default'
+# (login would normally do this anyway, but having a class name
+#  here suppresses the diagnostic)
+#
+standard:\\
+	:tc=default:
+xuser:\\
+	:tc=default:
+staff:\\
+	:tc=default:
+
+# This PATH may be clobbered by individual applications.  Notably, by default,
+# rc(8), service(8), and cron(8) will all override it with a default PATH that
+# may not include /usr/local/sbin and /usr/local/bin when starting services or
+# jobs.
+daemon:\\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\\
+	:mail@:\\
+	:memorylocked=128M:\\
+	:tc=default:
+news:\\
+	:tc=default:
+dialer:\\
+	:tc=default:
+
+#
+# Root can always login
+#
+# N.B.  login_getpwclass(3) will use this entry for the root account,
+#       in preference to 'default'.
+root:\\
+	:ignorenologin:\\
+	:memorylocked=unlimited:\\
+	:tc=default:
diff --git a/files/etc/login.conf.laptop b/files/etc/login.conf.laptop
new file mode 120000
index 0000000..2dde3a4
--- /dev/null
+++ b/files/etc/login.conf.laptop
@@ -0,0 +1 @@
+login.conf.desktop
\ No newline at end of file
diff --git a/files/etc/login.conf.roadwarrior_laptop b/files/etc/login.conf.roadwarrior_laptop
new file mode 120000
index 0000000..2dde3a4
--- /dev/null
+++ b/files/etc/login.conf.roadwarrior_laptop
@@ -0,0 +1 @@
+login.conf.desktop
\ No newline at end of file
diff --git a/files/etc/pam.d/cups.cups_server b/files/etc/pam.d/cups.cups_server
new file mode 100644
index 0000000..b61c074
--- /dev/null
+++ b/files/etc/pam.d/cups.cups_server
@@ -0,0 +1,8 @@
+# auth
+auth    sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth    required    pam_unix.so no_warn try_first_pass
+
+# account
+account   required  /usr/local/lib/security/pam_krb5.so
+account   required  pam_login_access.so
+account   required  pam_unix.so
diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd
new file mode 100644
index 0000000..2604c78
--- /dev/null
+++ b/files/etc/pam.d/kde.freebsd
@@ -0,0 +1,2 @@
+auth     required    /usr/local/lib/security/pam_krb5.so try_first_pass
+account  required    /usr/local/lib/security/pam_krb5.so
diff --git a/files/etc/pam.d/postgresql.postgresql_server b/files/etc/pam.d/postgresql.postgresql_server
deleted file mode 100644
index 8475a53..0000000
--- a/files/etc/pam.d/postgresql.postgresql_server
+++ /dev/null
@@ -1,2 +0,0 @@
-auth  required  /usr/local/lib/security/pam_krb5.so try_first_pass keytab=${postgres_keytab} no_ccache ignore_k5login no_update_user minimum_uid=0
-account required pam_permit.so
diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd
new file mode 100644
index 0000000..ef359ff
--- /dev/null
+++ b/files/etc/pam.d/sddm.freebsd
@@ -0,0 +1,16 @@
+# NB: FreeBSD has no pam_stack.so or substack functionality, so we can't
+# try multiple authentication sources (like krb5 but fall back to pam_unix)
+# if we want pam_kwallet5 to execute.
+# Hence, for sddm, we try krb5 only (no local accounts).
+auth      required  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth      optional  pam_exec.so /usr/local/libexec/pam-create-local-homedir
+auth      optional  pam_kwallet5.so
+
+account   required  /usr/local/lib/security/pam_krb5.so
+account   required  pam_login_access.so
+account   required  pam_unix.so
+
+session   required  pam_lastlog.so no_fail
+session   optional  pam_kwallet5.so auto_start
+
+password  required  /usr/local/lib/security/pam_krb5.so try_first_pass
diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd
new file mode 100644
index 0000000..425bf4e
--- /dev/null
+++ b/files/etc/pam.d/sudo.freebsd
@@ -0,0 +1,15 @@
+# auth
+auth    sufficient    /usr/local/lib/security/pam_krb5.so try_first_pass
+auth    required      pam_unix.so no_warn try_first_pass
+
+# account
+account   required    /usr/local/lib/security/pam_krb5.so
+account   required    pam_login_access.so
+account   required    pam_unix.so
+
+# session
+account   required    pam_permit.so
+
+# password
+password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/profile.d/kde.sh.common b/files/etc/profile.d/kde.sh.common
new file mode 100644
index 0000000..010d5c1
--- /dev/null
+++ b/files/etc/profile.d/kde.sh.common
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$XDG_CURRENT_DESKTOP" = KDE ]; then
+  export SSH_ASKPASS_REQUIRE=prefer
+  export SSH_ASKPASS=/usr/local/bin/ksshaskpass
+fi
diff --git a/files/etc/profile.d/local-homedir.sh.common b/files/etc/profile.d/local-homedir.sh.common
new file mode 100644
index 0000000..d5abb90
--- /dev/null
+++ b/files/etc/profile.d/local-homedir.sh.common
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# This file contains various environment variables and hacks to accomodate
+# applications that don't play well with NFS-mounted home directories.
+
+if [ "$(id -u)" -lt 1000 ]; then
+  return 0
+fi
+
+LOCAL_HOME="/usr/local/home/${USER}"
+
+export PYTHONUSERBASE="${LOCAL_HOME}/.local"
+export npm_config_cache="${LOCAL_HOME}/.npm"
+export CARGO_HOME="${LOCAL_HOME}/.cargo"
+export GOPATH="${LOCAL_HOME}/go"
+
+# firefox
+mkdir -p "${LOCAL_HOME}/.mozilla"
+ln -sfn "${LOCAL_HOME}/.mozilla" "${HOME}/.mozilla"
+
+# kwallet
+# The kwallet PAM module hard-codes ~/.local/share/kwalletd, but kwallet itself
+# honors XDG_DATA_HOME! So we symlink from the local disk back into NFS. Gross!
+mkdir -p "${LOCAL_HOME}/.local/share/kwalletd"
+ln -sfn "${HOME}/.local/share/kwalletd/kwallet.salt" "${LOCAL_HOME}/.local/share/kwalletd/kdewallet.salt"
diff --git a/files/etc/syslog.conf.freebsd b/files/etc/syslog.conf.freebsd
index dda6710..021836e 100644
--- a/files/etc/syslog.conf.freebsd
+++ b/files/etc/syslog.conf.freebsd
@@ -1,4 +1,5 @@
 *.err;kern.warning;auth.notice;mail.crit		/dev/console
+!-devd
 *.info;authpriv.none;auth.none;cron.none;kern.debug;mail.crit;news.err	/var/log/messages
 security.*					/var/log/security
 auth.info;authpriv.info				/var/log/auth.log
@@ -7,6 +8,8 @@ cron.*						/var/log/cron
 !-devd
 *.=debug					/var/log/debug.log
 *.emerg						*
+!devd
+*.>=info          /var/log/devd.log
 !*
 include						/etc/syslog.d
 include						/usr/local/etc/syslog.d
diff --git a/files/usr/local/etc/nginx/vhosts.conf.invidious_server b/files/usr/local/etc/nginx/vhosts.conf.invidious_server
new file mode 100644
index 0000000..35947dc
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.invidious_server
@@ -0,0 +1,22 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${invidious_https_cert};
+  ssl_certificate_key  ${invidious_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+
+    proxy_pass http://127.0.0.1:${invidious_port};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
index 8177626..73c5754 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
+++ b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
@@ -1,9 +1,14 @@
 server {
   listen       0.0.0.0:80 default_server;
-  listen       [::]:80 default_server;
+  listen       [::]:80    default_server;
+  listen       443      ssl default_server;
+  listen       [::]:443 ssl default_server;
   server_name  ${fqdn};
   root         ${poudriere_data_dir}/data/packages;
 
+  ssl_certificate      ${poudriere_https_cert};
+  ssl_certificate_key  ${poudriere_https_key};
+
   include mime.types;
   types {
     text/plain  log;
diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common
index 22b20bb..af1781e 100644
--- a/files/usr/local/etc/openldap/ldap.conf.common
+++ b/files/usr/local/etc/openldap/ldap.conf.common
@@ -12,3 +12,4 @@ USERS_BASE     ${users_basedn}
 GROUPS_BASE    ${groups_basedn}
 HOSTS_BASE     ${hosts_basedn}
 ROLES_BASE     ${roles_basedn}
+AUTOMOUNT_BASE ${automount_basedn}
diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server
index 4c7a929..aa6f8c9 100644
--- a/files/usr/local/etc/openldap/ldap.conf.idm_server
+++ b/files/usr/local/etc/openldap/ldap.conf.idm_server
@@ -12,3 +12,4 @@ USERS_BASE     ${users_basedn}
 GROUPS_BASE    ${groups_basedn}
 HOSTS_BASE     ${hosts_basedn}
 ROLES_BASE     ${roles_basedn}
+AUTOMOUNT_BASE ${automount_basedn}
diff --git a/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop
new file mode 100644
index 0000000..d57c4b9
--- /dev/null
+++ b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop
@@ -0,0 +1,8 @@
+polkit.addRule(function (action, subject) {
+  if ((action.id == "org.freedesktop.consolekit.system.restart" ||
+      action.id == "org.freedesktop.consolekit.system.stop" ||
+      action.id == "org.freedesktop.consolekit.system.suspend")
+      && subject.isInGroup("${desktop_access_role}")) {
+    return polkit.Result.YES;
+  }
+});
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
index 6ef6f4a..7c69474 100644
--- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -10,8 +10,8 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT
 # Per-port options
 databases_akonadi_SET=MYSQL
 databases_luadbi_SET=PGSQL
-databases_postgresql${postgresql_version}-client_SET=PAM
-databases_postgresql${postgresql_version}-server_SET=PAM
+databases_postgresql${postgresql_version}-client_SET=PAM LDAP
+databases_postgresql${postgresql_version}-server_SET=PAM LDAP
 devel_apr1_SET=LDAP
 devel_gitolite_SET=GITUSER
 devel_kio-extras_UNSET=AFC
diff --git a/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository
new file mode 100644
index 0000000..7cb0372
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository
@@ -0,0 +1,54 @@
+--- www/chromium/Makefile	2024-10-14 22:31:01.044557000 -0400
++++ www/chromium/Makefile	2024-10-14 22:37:11.304192000 -0400
+@@ -144,19 +144,20 @@
+ SUB_FILES=	chromium-browser.desktop chrome
+ SUB_LIST+=	COMMENT="${COMMENT}"
+ 
+-OPTIONS_DEFINE=		CODECS CUPS DEBUG DRIVER KERBEROS LTO PIPEWIRE TEST WIDEVINE
+-OPTIONS_DEFAULT=	CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO
++OPTIONS_DEFINE=		CODECS CUPS DEBUG DRIVER LTO PIPEWIRE TEST WIDEVINE
++OPTIONS_DEFAULT=	CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO GSSAPI_MIT
+ OPTIONS_EXCLUDE_aarch64=LTO
+ OPTIONS_GROUP=		AUDIO
+ OPTIONS_GROUP_AUDIO=	ALSA PULSEAUDIO SNDIO
+-OPTIONS_RADIO=		KERBEROS
+-OPTIONS_RADIO_KERBEROS=	HEIMDAL HEIMDAL_BASE MIT
++OPTIONS_SINGLE=		KERBEROS
++OPTIONS_SINGLE_KERBEROS=GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
+ OPTIONS_SUB=		yes
+ CODECS_DESC=		Compile and enable patented codecs like H.264
+ DRIVER_DESC=		Install chromedriver
+-HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
+-HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
+-MIT_DESC=		MIT Kerberos (security/krb5)
++GSSAPI_NONE_DESC=	Build without GSSAPI support
++GSSAPI_BASE_DESC=	Use GSSAPI from base
++GSSAPI_HEIMDAL_DESC=	Use Heimdal GSSAPI from security/heimdal
++GSSAPI_MIT_DESC=	Use MIT GSSAPI from security/krb5
+ 
+ ALSA_LIB_DEPENDS=	libasound.so:audio/alsa-lib
+ ALSA_RUN_DEPENDS=	${LOCALBASE}/lib/alsa-lib/libasound_module_pcm_oss.so:audio/alsa-plugins \
+@@ -189,16 +190,19 @@
+ 
+ DRIVER_MAKE_ARGS=	chromedriver
+ 
+-HEIMDAL_LIB_DEPENDS=	libkrb.so.26:security/heimdal
+-KERBEROS_VARS=		GN_ARGS+=use_kerberos=true
+-KERBEROS_VARS_OFF=	GN_ARGS+=use_kerberos=false
++GSSAPI_BASE_USES=	gssapi
++GSSAPI_HEIMDAL_USES=	gssapi:heimdal
++GSSAPI_MIT_USES=	gssapi:mit
++GSSAPI_BASE_VARS=	GN_ARGS+=use_kerberos=true
++GSSAPI_MIT_VARS=	GN_ARGS+=use_kerberos=true
++GSSAPI_HEIMDAL_VARS=	GN_ARGS+=use_kerberos=true
++GSSAPI_NONE_VARS=	GN_ARGS+=use_kerberos=false
+ 
+ LTO_VARS=		GN_ARGS+=use_thin_lto=true \
+ 			GN_ARGS+=thin_lto_enable_optimizations=true \
+ 			WANTSPACE="14 GB"
+ LTO_VARS_OFF=		GN_ARGS+=use_thin_lto=false
+ 
+-MIT_LIB_DEPENDS=	libkrb.so.3:security/krb5
+ 
+ PIPEWIRE_DESC=		Screen capture via PipeWire
+ PIPEWIRE_LIB_DEPENDS=	libpipewire-0.3.so:multimedia/pipewire
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index ec63f48..35b8f9a 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -1,5 +1,11 @@
+archivers/7-zip
 archivers/php${php_version}-phar
 archivers/php${php_version}-zip
+archivers/unzip
+archivers/zip
+audio/juk
+audio/kid3
+audio/kmix
 converters/php${php_version}-iconv
 converters/php${php_version}-mbstring
 databases/luadbi
@@ -11,25 +17,38 @@ databases/postgresql${postgresql_version}-client
 databases/postgresql${postgresql_version}-server
 databases/redis
 devel/ccache
+devel/cgit
 devel/git@lite
+devel/gitolite
 devel/php${php_version}-gettext
 devel/php${php_version}-intl
 devel/php${php_version}-pcntl
 devel/php${php_version}-tokenizer
+devel/py-pip
+devel/shards
 dns/bind-tools
 dns/nsd
 dns/powerdns
 dns/unbound
+editors/libreoffice
 editors/vim@console
 editors/vim@tiny
+finance/gnucash
+finance/kmymoney
 ftp/php${php_version}-curl
+graphics/ImageMagick7@nox11
+graphics/drm-kmod
+graphics/p5-Image-ExifTool
 graphics/php${php_version}-exif
 graphics/php${php_version}-gd
+irc/konversation
 irc/znc
 irc/znc-clientbuffer
+java/eclipse
 java/openjdk21
-lang/python
+lang/crystal
 lang/php${php_version}
+lang/python
 mail/dovecot
 mail/dovecot-pigeonhole
 mail/isync
@@ -38,27 +57,37 @@ mail/postfix
 mail/rspamd
 mail/sieve-connect
 misc/php${php_version}-calendar
+multimedia/audacious
+multimedia/libva-intel-media-driver
+multimedia/makemkv
+net-im/dino
+net-im/gajim
+net-im/prosody
+net-im/prosody-modules
+net-im/signal-desktop
+net-mgmt/unifi8
 net/asterisk18
+net/freeradius3
 net/lualdap
 net/nss-pam-ldapd-sasl
 net/openldap26-client
 net/openldap26-server
 net/p5-perl-ldap
 net/php${php_version}-ldap
+net/php${php_version}-sockets
 net/py-python-ldap
 net/rsync
-net/php${php_version}-sockets
 net/turnserver
-net-im/prosody
-net-im/prosody-modules
+net/wireguard-tools
 ports-mgmt/poudriere
 print/cups
 print/cups-filters
 security/acme.sh
+security/bitwarden-cli
 security/cyrus-sasl2-saslauthd
-security/kstart
 security/krb5@default
 security/krb5@ldap
+security/kstart
 security/openssh-portable
 security/pam_krb5@mit
 security/pam_mkhomedir
@@ -67,20 +96,38 @@ security/sshpass
 security/sudo
 security/vaultwarden
 sysutils/htop
+sysutils/k3b
 sysutils/lsof
 sysutils/p5-Sys-Syslog
+sysutils/password-store
 sysutils/php${php_version}-fileinfo
 sysutils/php${php_version}-posix
 sysutils/pwgen
 sysutils/stow
 sysutils/tmux
 sysutils/tree
+textproc/hs-pandoc
+textproc/jq
 textproc/p5-YAML
 textproc/php${php_version}-ctype
 textproc/php${php_version}-dom
 textproc/php${php_version}-simplexml
 textproc/php${php_version}-xml
 textproc/php${php_version}-xmlwriter
+textproc/py-docutils
+textproc/py-markdown
+textproc/py-pygments
+www/chromium
+www/fcgiwrap
+www/firefox
+www/linux-widevine-cdm
 www/nginx
 www/php${php_version}-opcache
 www/php${php_version}-session
+www/w3m
+x11-fonts/terminus-font
+x11-fonts/terminus-ttf
+x11/kde5
+x11/sddm
+x11/xev
+x11/xorg
diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server
new file mode 100644
index 0000000..5c1aafd
--- /dev/null
+++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server
@@ -0,0 +1,42 @@
+eap {
+  default_eap_type = tls
+  timer_expire = 60
+  ignore_unknown_eap_types = yes
+  cisco_accounting_username_bug = no
+  max_sessions = \${max_requests}
+
+  tls-config tls-common {
+    private_key_password =
+    private_key_file = ${freeradius_tls_key}
+    certificate_file = ${freeradius_tls_cert}
+    ca_file = ${site_cacert_path}
+    ca_path = \${cadir}
+    auto_chain = no
+    check_crl = no
+    cipher_list = "DEFAULT"
+    cipher_server_preference = no
+    tls_min_version = "1.2"
+    tls_max_version = "1.3"
+    ecdh_curve = ""
+
+    cache {
+      enable = yes
+      lifetime = 24 # hours
+      name = "EAP module"
+      persist_dir = "${freeradius_tlscache_dir}"
+      store {
+        Tunnel-Private-Group-Id
+      }
+    }
+
+    verify { }
+
+    ocsp {
+      enable = no
+    }
+  }
+
+  tls {
+    tls = tls-common
+  }
+}
diff --git a/files/usr/local/etc/raddb/radiusd.conf.radius_server b/files/usr/local/etc/raddb/radiusd.conf.radius_server
new file mode 100644
index 0000000..cc5a7a3
--- /dev/null
+++ b/files/usr/local/etc/raddb/radiusd.conf.radius_server
@@ -0,0 +1,80 @@
+prefix = /usr/local
+exec_prefix = \${prefix}
+sysconfdir = \${prefix}/etc
+localstatedir = /var
+sbindir = \${exec_prefix}/sbin
+logdir = /var/log
+raddbdir = \${sysconfdir}/raddb
+radacctdir = \${logdir}/radacct
+
+name = radiusd
+
+confdir = \${raddbdir}
+modconfdir = \${confdir}/mods-config
+certdir = \${confdir}/certs
+cadir   = \${confdir}/certs
+run_dir = \${localstatedir}/run/\${name}
+
+db_dir = \${raddbdir}
+
+libdir = /usr/local/lib/freeradius-${freeradius_version}
+
+pidfile = \${run_dir}/\${name}.pid
+
+max_request_time = 30
+
+cleanup_delay = 5
+
+max_requests = 16384
+
+hostname_lookups = no
+
+log {
+	destination = syslog
+	colourise = no
+	file = \${logdir}/radius.log
+	syslog_facility = daemon
+	stripped_names = no
+	auth = yes
+	auth_badpass = no
+	auth_goodpass = no
+	msg_denied = "You are already logged in - access denied"
+}
+
+checkrad = \${sbindir}/checkrad
+
+ENV { }
+
+security {
+	allow_core_dumps = no
+	max_attributes = 200
+	reject_delay = 1
+	status_server = yes
+}
+
+proxy_requests  = yes
+\$INCLUDE proxy.conf
+
+\$INCLUDE clients.conf
+
+
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+	auto_limit_acct = no
+}
+
+modules {
+	\$INCLUDE mods-enabled/
+}
+
+instantiate { }
+
+policy {
+	\$INCLUDE policy.d/
+}
+
+\$INCLUDE sites-enabled/
diff --git a/files/usr/local/etc/rc.d/invidious.invidious_server b/files/usr/local/etc/rc.d/invidious.invidious_server
new file mode 100644
index 0000000..44acbad
--- /dev/null
+++ b/files/usr/local/etc/rc.d/invidious.invidious_server
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# PROVIDE: invidious
+# REQUIRE: NETWORKING
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name=invidious
+rcvar=invidious_enable
+
+load_rc_config "$name"
+
+: ${invidious_enable:='NO'}
+: ${invidious_dir:='/usr/local/invidious/invidious.git'}
+: ${invidious_user='www'}
+: ${invidious_syslog_priority:='info'}
+: ${invidious_syslog_facility:='daemon'}
+
+invidious_syslog_tag=invidious
+
+invidious_chdir=$invidious_dir
+pidfile=/var/run/invidious/invidious.pid
+command=/usr/sbin/daemon
+
+command_args="-f \
+-s ${invidious_syslog_priority} \
+-l ${invidious_syslog_facility} \
+-T ${invidious_syslog_tag} \
+-p ${pidfile} \
+-t invidious \
+${invidious_dir}/invidious"
+
+procname="${invidious_dir}/invidious"
+start_precmd=invidious_prestart
+
+invidious_prestart(){
+  install -d -m 0755 -o ${invidious_user} /var/run/invidious
+}
+
+run_rc_command "$1"
diff --git a/files/usr/local/etc/sddm.conf.common b/files/usr/local/etc/sddm.conf.common
new file mode 100644
index 0000000..09c2000
--- /dev/null
+++ b/files/usr/local/etc/sddm.conf.common
@@ -0,0 +1,9 @@
+[General]
+DisplayServer = x11
+
+[Wayland]
+SessionDir = /dev/null
+
+[Users]
+MinimumUid = ${sddm_min_uid}
+MaximumUid = ${sddm_max_uid}
diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd
index eca2276..0e0d730 100644
--- a/files/usr/local/etc/ssh/sshd_config.freebsd
+++ b/files/usr/local/etc/ssh/sshd_config.freebsd
@@ -13,4 +13,6 @@ GSSAPICleanupCredentials yes
 UsePAM yes
 UseDNS no
 
+# TODO: require group to login?
+
 Subsystem	sftp	/usr/local/libexec/sftp-server
diff --git a/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server b/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server
new file mode 100644
index 0000000..fb7fe54
--- /dev/null
+++ b/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server
@@ -0,0 +1,35 @@
+log_level: info
+domain: ${invidious_fqdn}
+external_port: 443
+channel_threads: 1
+feed_threads: 1
+database_url: postgres://${invidious_username}:${invidious_password}@${invidious_dbhost}/${invidious_dbname}?sslmode=verify-full&auth_methods=cleartext
+use_pubsub_feeds: false
+hmac_key: ${invidious_hmac_key}
+https_only: true
+registration_enabled: true
+port: ${invidious_port}
+host_binding: 127.0.0.1
+popular_enabled: false
+captcha_enabled: false
+check_tables: true
+cache_annotations: true
+po_token: ${invidious_po_token}
+visitor_data: ${invidious_visitor_data}
+signature_server: ${invidious_signature_sock}
+
+default_user_preferences:
+  dark_mode: auto
+  autoplay: false
+  continue: true
+  continue_autoplay: false
+  local: true
+  quality: dash
+  quality_dash: 1080p
+  locale: en-US
+  region: US
+  related_videos: true
+  video_loop: false
+  player_style: invidious
+  default_home: Subscriptions
+  feed_menu: [Subscriptions, Playlists]
diff --git a/files/usr/local/libexec/idm-autofs-map.common b/files/usr/local/libexec/idm-autofs-map.common
new file mode 100644
index 0000000..296bf91
--- /dev/null
+++ b/files/usr/local/libexec/idm-autofs-map.common
@@ -0,0 +1,44 @@
+#!/usr/local/bin/perl
+
+use strict;
+use warnings;
+
+use Net::LDAP;
+use Net::LDAP::Util qw(escape_dn_value);
+use Authen::SASL;
+
+open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!);
+my %config;
+while (<$fh>) {
+  chomp;
+  next if /^#/;
+  my @pair = split(' ', $_, 2);
+  next unless (@pair == 2);
+  $config{$pair[0]} = $pair[1];
+}
+close($fh);
+
+my $mech   = $config{SASL_MECH}      // 'GSSAPI';
+my $uri    = $config{URI}            // die("URI not specified\n");
+my $basedn = $config{AUTOMOUNT_BASE} // die("AUTOMOUNT_BASE not specified\n");
+
+@ARGV == 1 or die "usage: $0 MAPNAME\n";
+my $mapname = $ARGV[0];
+
+my $conn = Net::LDAP->new($uri, version => '3') or die "$0: $@";
+my $sasl = Authen::SASL->new($mech);
+my $status = $conn->bind(sasl => $sasl);
+$status->code and die "$0: ".$status->error."\n";
+
+my $search = $conn->search(
+  scope  => 'one',
+  base   => 'automountMapName='.escape_dn_value($mapname).",$basedn",
+  filter => '(objectClass=automount)',
+  attrs  => ['automountKey', 'automountInformation']);
+$search->code and die "$0: $mapname: ".$search->error."\n";
+
+foreach my $entry ($search->entries) {
+  my $key  = ($entry->get_value('automountKey'))[0];
+  my $info = ($entry->get_value('automountInformation'))[0];
+  print "$key $info\n";
+}
diff --git a/files/usr/local/libexec/invidious-update.invidious_server b/files/usr/local/libexec/invidious-update.invidious_server
new file mode 100644
index 0000000..b89b4bf
--- /dev/null
+++ b/files/usr/local/libexec/invidious-update.invidious_server
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -eu -o pipefail
+
+prog=$(basename "$(readlink -f "$0")")
+usage="${prog} [-q] INVIDIOUS_USER INVIDIOUS_SRCDIR"
+
+die() {
+  printf '%s: %s\n' "$prog" "$*" 1>&2
+  exit 1
+}
+
+usage(){
+  printf 'usage: %s\n' "$usage" 1>&2
+  exit 2
+}
+
+as_invidious(){
+  su -m "$invidious_user" -c "HOME=$(dirname "$invidious_dir") ${@}"
+}
+
+while getopts hq opt; do
+  case $opt in
+    h) usage ;;
+    q) exec 1>/dev/null ;;
+  esac
+done
+shift $((OPTIND - 1))
+
+[ $# -eq 2 ] || usage
+
+invidious_user=$1
+invidious_dir=$2
+
+cd "$invidious_dir"
+
+su -m "$invidious_user" -c 'git fetch'
+local_rev=$(as_invidious 'git rev-parse HEAD')
+upstream_rev=$(as_invidious 'git rev-parse "@{u}"')
+
+if [ "$local_rev" != "$upstream_rev" ]; then
+  echo "updating invidious to rev ${upstream_rev}"
+  as_invidious 'git pull --ff-only && shards install --production && crystal build src/invidious.cr --release'
+else
+  echo "invidious already up to date at rev ${local_rev}"
+fi
+
+service invidious restart
diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common
new file mode 100644
index 0000000..a956d65
--- /dev/null
+++ b/files/usr/local/libexec/pam-create-local-homedir.common
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+uid=$(id -u "$PAM_USER")
+
+if [ "$uid" -ge 1000 ]; then
+  install -m 0755 -d /usr/local/home
+  install -o "$uid" -g "$uid" -m 0700 -d "/usr/local/home/${PAM_USER}"
+fi
diff --git a/files/usr/local/override/applications/signal-desktop.desktop.common b/files/usr/local/override/applications/signal-desktop.desktop.common
new file mode 100644
index 0000000..d0c9160
--- /dev/null
+++ b/files/usr/local/override/applications/signal-desktop.desktop.common
@@ -0,0 +1,12 @@
+[Desktop Entry]
+Type=Application
+Name=Signal
+Comment=Signal - Private Messenger
+Icon=signal-desktop
+Exec=signal-desktop --use-tray-icon -- %u
+Terminal=false
+Categories=Network;InstantMessaging;
+StartupWMClass=Signal
+MimeType=x-scheme-handler/sgnl;
+Keywords=sgnl;chat;im;messaging;messenger;sms;security;privat;
+X-GNOME-UsesNotifications=true
diff --git a/files/usr/local/www/davical/config/config.php.dav_server b/files/usr/local/www/davical/config/config.php.dav_server
index ec2cb26..3d1174d 100644
--- a/files/usr/local/www/davical/config/config.php.dav_server
+++ b/files/usr/local/www/davical/config/config.php.dav_server
@@ -20,8 +20,12 @@
   'port'            => '389',
   'sasl'            => 'yes',
   'sasl_mech'       => 'GSSAPI',
-  'baseDNUsers'     => '${users_basedn}',
+  'baseDNUsers'     => '${people_basedn}',
   'baseDNGroups'    => '${groups_basedn}',
+   /* Must use scope=onelevel here because if davical picks up a user and group
+    * with the same name, then the group takes precedence and the user is lost.
+    * Sad for us because we store user private groups in LDAP.
+    */
   'scope'           => 'onelevel',
   'protocolVersion' => 3,
   'optReferrals'    => 0,
@@ -44,6 +48,6 @@
                             'H' => array(8,2),
                             'M' => array(10,2),
                             'S' => array(12,2)),
-  'i_use_mode_kerberos' => 'i_know_what_i_am_doing',
+  'i_use_mode_kerberos' => 'allow_fallback_to_ldap_auth',
 );
 include_once('drivers_ldap.php');
diff --git a/files/var/db/postgres/data16/pg_hba.conf.postgresql_server b/files/var/db/postgres/data16/pg_hba.conf.postgresql_server
index 0e98783..4810eb9 100644
--- a/files/var/db/postgres/data16/pg_hba.conf.postgresql_server
+++ b/files/var/db/postgres/data16/pg_hba.conf.postgresql_server
@@ -2,4 +2,4 @@
 local       all             postgres              peer map=postgres
 local       all             all                   peer
 hostgssenc  all             all         all       gss  include_realm=0 krb_realm=${realm}
-hostssl     all             all         all       pam
+hostssl     all             all         all       ldap ldapserver="${ldap_hosts}" ldaptls=1 ldapbinddn="${postgres_dn}" ldapbindpasswd="${postgres_ldap_password}" ldapbasedn="${users_basedn}" ldapsearchattribute=uid