more postfix/rspamd stuff

author: Cullum Smith <cullum@sacredheartsc.com> 2024-10-03 22:38:06 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-10-03 22:38:06 -0400
commit: a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 (patch)
tree: ba2f614ac93dabc6b148037fc604966c7907b384 /files
parent: 47f90d0916ac34ef132e3bb6da92a4a67dffbba8 (diff)
download: infrastructure-a1bddcb1de1053994fb445267ca5d1ffaecb0fb5.tar.gz
12 files changed, 147 insertions, 71 deletions
diff --git a/files/usr/local/etc/mail/mailer.conf.smtp_server b/files/usr/local/etc/mail/mailer.conf.smtp_server
new file mode 100644
index 0000000..d15a587
--- /dev/null
+++ b/files/usr/local/etc/mail/mailer.conf.smtp_server
@@ -0,0 +1,7 @@
+#
+# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
+#
+sendmail	/usr/local/sbin/sendmail
+send-mail	/usr/local/sbin/sendmail
+mailq		/usr/local/sbin/sendmail
+newaliases	/usr/local/sbin/sendmail
diff --git a/files/usr/local/etc/nginx/acme.conf.common b/files/usr/local/etc/nginx/acme.conf.common
deleted file mode 100644
index 583ca98..0000000
--- a/files/usr/local/etc/nginx/acme.conf.common
+++ /dev/null
@@ -1,4 +0,0 @@
-location /.well-known/acme-challenge/ {
-  root ${acme_webroot};
-  default_type text/plain;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf-acme b/files/usr/local/etc/nginx/nginx.conf-acme
deleted file mode 100644
index d77c0de..0000000
--- a/files/usr/local/etc/nginx/nginx.conf-acme
+++ /dev/null
@@ -1,55 +0,0 @@
-worker_processes      ${nginx_worker_processes};
-worker_rlimit_nofile  ${nginx_nofile};
-
-events {
-  worker_connections  ${nginx_worker_connections};
-}
-
-http {
-  include       mime.types;
-  default_type  application/octet-stream;
-  index         index.html;
-
-  aio                   threads;
-  aio_write             on;
-  sendfile              on;
-  directio              4m;
-  tcp_nopush            on;
-  tcp_nodelay           on;
-  keepalive_timeout     65;
-  types_hash_max_size   2048;
-  server_tokens         off;
-  client_max_body_size  5m;
-  charset               utf-8;
-  gzip                  on;
-  gzip_http_version     1.0;
-  gzip_types            text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;
-
-  proxy_buffers            64 32k;
-  proxy_busy_buffers_size  64k;
-  fastcgi_buffers          64 32k;
-
-  ssl_session_timeout        1d;
-  ssl_session_cache          shared:SSL:10m;
-  ssl_session_tickets        off;
-  ssl_protocols              TLSv1.3;
-  ssl_prefer_server_ciphers  off;
-
-  map \$http_upgrade \$connection_upgrade {
-    default upgrade;
-    '' keep-alive;
-  }
-
-  server {
-    listen       0.0.0.0:80 default_server;
-    listen       [::]:80 default_server;
-
-    include acme.conf;
-
-    location / {
-      return 301 https://\$host\$request_uri;
-    }
-  }
-
-  include vhost*.conf;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index b0a9a06..9ab993c 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -1,5 +1,6 @@
 worker_processes      ${nginx_worker_processes};
 worker_rlimit_nofile  ${nginx_nofile};
+$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";')
 
 events {
   worker_connections  ${nginx_worker_connections};
@@ -40,5 +41,28 @@ http {
     '' keep-alive;
   }
 
-	include vhosts.conf;
+$([ "${nginx_gssapi:-}" = true ] && cat <<EOF
+  auth_gss_realm ${realm};
+  auth_gss_force_realm on;
+EOF
+)
+
+$([ "${nginx_acme:-}" = true ] && cat <<EOF
+  server {
+    listen       0.0.0.0:80 default_server;
+    listen       [::]:80 default_server;
+
+    location /.well-known/acme-challenge/ {
+      root ${acme_webroot};
+      default_type text/plain;
+    }
+
+    location / {
+      return 301 https://\$host\$request_uri;
+    }
+  }
+EOF
+)
+
+  include vhosts.conf;
 }
diff --git a/files/usr/local/etc/nginx/nginx.conf.smtp_server b/files/usr/local/etc/nginx/nginx.conf.smtp_server
deleted file mode 120000
index 53de10f..0000000
--- a/files/usr/local/etc/nginx/nginx.conf.smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-nginx.conf-acme
-\ No newline at end of file
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 71d6db8..4b84ede 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -9,14 +9,19 @@ server {
 
   add_header Strict-Transport-Security "max-age=63072000" always;
 
+$(if [ -n "$rspamd_admin_users" ]; then
+echo   '  auth_gss on;'
+echo   "  auth_gss_keytab ${nginx_keytab};"
+printf '  auth_gss_authorized_principal %s;\n' $rspamd_admin_users
+fi)
+
   location / {
     proxy_http_version 1.1;
-
     proxy_set_header Host \$host;
-    proxy_set_header X-Real-IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto \$scheme;
-
+$(if [ -z "$rspamd_admin_users" ]; then
+echo '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'
+fi)
     proxy_pass http://127.0.0.1:${rspamd_port}/;
   }
 }
diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server
index c1e40a4..802568f 100644
--- a/files/usr/local/etc/postfix/main.cf.smtp_server
+++ b/files/usr/local/etc/postfix/main.cf.smtp_server
@@ -56,24 +56,23 @@ smtpd_tls_chain_files =
   ${postfix_local_tls_key},
   ${postfix_local_tls_cert}
 EOF
-)
+fi)
 
 smtpd_tls_security_level        = may
 smtpd_tls_auth_only             = yes
 smtpd_tls_mandatory_protocols   = >=TLSv1.2
 smtpd_tls_mandatory_ciphers     = medium
-smtpd_tls_dh1024_param_file     = ${postfix_dhparams}
 smtpd_tls_loglevel              = 1
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 smtpd_helo_required             = yes
 
-smtp_tls_CApath                 = ${system_ca_dir}
+smtp_tls_CApath                 = ${system_cacert_path}
 smtp_tls_security_level         = may
 smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
 smtp_tls_loglevel               = 1
 
-lmtp_tls_CApath                 = ${system_ca_dir}
+lmtp_tls_CApath                 = ${system_cacert_path}
 lmtp_tls_security_level         = encrypt
 lmtp_tls_wrappermode            = yes
 lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
index b0ae948..6dbbafc 100644
--- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -10,8 +10,9 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT
 # Per-port options
 databases_akonadi_SET=MYSQL
 databases_luadbi_SET=PGSQL
-databases_postgresql15-client_SET=PAM
-databases_postgresql15-server_SET=PAM
+databases_postgresql${postgresql_version}-client_SET=PAM
+databases_postgresql${postgresql_version}-server_SET=PAM
+devel_apr1_SET=LDAP
 devel_gitolite_SET=GITUSER
 devel_kio-extras_UNSET=AFC
 devel_librelp_UNSET=GNUTLS
@@ -73,6 +74,7 @@ sysutils_htop_SET=LSOF
 sysutils_k3b_UNSET=EMOVIX VCDIMAGER
 sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL
 sysutils_rsyslog8_UNSET=GCRYPT
+www_apache${apache_version}_SET=AUTHNZ_LDAP LDAP SUEXEC SUEXEC_SYSLOG
 www_chromium_SET=WIDEVINE
 www_firefox_UNSET=PROFILE JACK
 www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP
diff --git a/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository
new file mode 100644
index 0000000..0cf4e61
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository
@@ -0,0 +1,73 @@
+--- databases/postgresql16-server/Makefile	2024-10-03 10:26:11.600924000 -0400
++++ databases/postgresql16-server/Makefile	2024-10-03 10:46:16.602335000 -0400
+@@ -119,12 +119,15 @@
+ 
+ .if !defined(SLAVE_ONLY)
+ OPTIONS_DEFINE+=	NLS PAM GSSAPI OPTIMIZED_CFLAGS DEBUG DOCS
+-KRB5_DESC=		Build with kerberos provider support
++OPTIONS_SINGLE+=	GSSAPI
++OPTIONS_SINGLE_GSSAPI=	GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
++OPTIONS_DEFAULT+=	GSSAPI_NONE
++GSSAPI_NONE_DESC=	Build without GSSAPI support
++GSSAPI_BASE_DESC=	Use GSSAPI from base
++GSSAPI_HEIMDAL_DESC=	Use Heimdal GSSAPI from security/heimdal
++GSSAPI_MIT_DESC=	Use MIT GSSAPI from security/krb5
+ NLS_DESC=		Use internationalized messages
+ PAM_DESC=		Build with PAM Support
+-MIT_KRB5_DESC=		Build with MIT kerberos support
+-HEIMDAL_KRB5_DESC=	Builds with Heimdal kerberos
+-GSSAPI_DESC=		Build with GSSAPI support
+ OPTIMIZED_CFLAGS_DESC=	Builds with compiler optimizations (-O3)
+ 
+ OPTIONS_DEFINE+=	SSL
+@@ -132,7 +135,12 @@
+ 
+ OPTIONS_DEFAULT+=	SSL
+ 
+-GSSAPI_CONFIGURE_WITH=	gssapi
++GSSAPI_BASE_USES=	gssapi:base
++GSSAPI_MIT_USES=	gssapi:mit
++GSSAPI_HEIMDAL_USES=	gssapi:heimdal,flags
++GSSAPI_BASE_CONFIGURE_ON=	--with-gssapi
++GSSAPI_MIT_CONFIGURE_ON=	--with-gssapi
++GSSAPI_HEIMDAL_CONFIGURE_ON=	--with-gssapi
+ .endif # !SLAVE_ONLY
+ 
+ SSL_USES=		ssl
+@@ -175,36 +183,7 @@
+ .endif
+ 
+ .if !defined(SLAVE_ONLY)
+-
+ PATCH_DIST_STRIP=-p1
+-
+-.if ${PORT_OPTIONS:MGSSAPI}
+-.if empty(PORT_OPTIONS:MMIT_KRB5) && empty(PORT_OPTIONS:MHEIMDAL_KRB5)
+-# Kerberos libraries will pull the proper GSSAPI library
+-# via linker dependencies, but otherwise we must specify
+-# it explicitely: ld --as-needed is used for compilation,
+-# so configure's -lgssapi_krb5 won't go.
+-LDFLAGS+=	-lgssapi
+-LDFLAGS_SL+=	-lgssapi
+-.endif
+-.endif
+-
+-.  if ${PORT_OPTIONS:MMIT_KRB5}
+-.   if defined(IGNORE_WITH_SRC_KRB5) && (exists(/usr/lib/libkrb5.so) || exists(/usr/bin/krb5-config))
+-IGNORE=	requires that you remove heimdal\'s /usr/bin/krb5-config and /usr/lib/libkrb5.so*, and set NO_KERBEROS=true in /etc/src.conf to build successfully with MIT-KRB
+-.   else
+-CONFIGURE_ARGS+=--with-krb5
+-# Allow defining a home built MIT Kerberos by setting KRB5_HOME
+-.    if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) && exists(${KRB5_HOME}/bin/krb5-config)
+-LIB_DEPENDS+=	libkrb5.so.3:security/krb5
+-.    endif
+-.   endif
+-.  endif
+-
+-.  if ${PORT_OPTIONS:MHEIMDAL_KRB5}
+-CONFIGURE_ARGS+=--with-krb5
+-.  endif
+-
+ .endif # !SLAVE_ONLY
+ 
+ # For testing files in FILESDIR
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 4a54ec5..5e95f8c 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -1,13 +1,21 @@
+converters/php${php_version}-iconv
+databases/php${php_version}-pdo_pgsql
+databases/php${php_version}-pgsql
+databases/postgresql${postgresql_version}-client
+databases/postgresql${postgresql_version}-server
 databases/redis
 devel/ccache
 devel/git@lite
+devel/php${php_version}-gettext
 dns/bind-tools
 dns/nsd
 dns/powerdns
 dns/unbound
 editors/vim@console
 editors/vim@tiny
+ftp/php${php_version}-curl
 lang/python
+lang/php${php_version}
 mail/dovecot
 mail/dovecot-pigeonhole
 mail/isync
@@ -15,10 +23,12 @@ mail/mutt
 mail/postfix
 mail/rspamd
 mail/sieve-connect
+misc/php${php_version}-calendar
 net/nss-pam-ldapd-sasl
 net/openldap26-client
 net/openldap26-server
 net/p5-perl-ldap
+net/php${php_version}-ldap
 net/py-python-ldap
 net/rsync
 ports-mgmt/poudriere
@@ -39,4 +49,10 @@ sysutils/pwgen
 sysutils/stow
 sysutils/tmux
 sysutils/tree
+textproc/php${php_version}-xml
+www/apache${apache_version}
+www/mod_auth_gssapi
+www/mod_php${php_version}
 www/nginx
+www/php${php_version}-opcache
+www/php${php_version}-session
diff --git a/files/usr/local/lib/sasl2/smtpd.conf.smtp_server b/files/usr/local/lib/sasl2/smtpd.conf.smtp_server
new file mode 100644
index 0000000..b07b16d
--- /dev/null
+++ b/files/usr/local/lib/sasl2/smtpd.conf.smtp_server
@@ -0,0 +1,3 @@
+mech_list: gssapi plain login
+pwcheck_method: saslauthd
+saslauthd_path: ${saslauthd_runtime_dir}/mux
diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository
index 0d713a9..b79535b 100644
--- a/files/usr/local/libexec/poudriere-cron.pkg_repository
+++ b/files/usr/local/libexec/poudriere-cron.pkg_repository
@@ -5,8 +5,15 @@ set -eu -o pipefail
 ports_tree=latest
 
 # update ports tree
+git -C /usr/local/poudriere/ports/latest restore :/
+git -C /usr/local/poudriere/ports/latest clean -f
 poudriere ports -u -p "$ports_tree" > /dev/null
 
+for patch in /usr/local/etc/poudriere.d/patches/*.patch; do
+  [ -f "$patch" ] || continue
+  patch -s -d /usr/local/poudriere/ports/latest -u < "$patch"
+done
+
 for jail in "$@"; do
   poudriere jail -u -j "$jail" > /dev/null
   poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null
author	Cullum Smith <cullum@sacredheartsc.com>	2024-10-03 22:38:06 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-10-03 22:38:06 -0400
commit	a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 (patch)
tree	ba2f614ac93dabc6b148037fc604966c7907b384 /files
parent	47f90d0916ac34ef132e3bb6da92a4a67dffbba8 (diff)
download	infrastructure-a1bddcb1de1053994fb445267ca5d1ffaecb0fb5.tar.gz