add pkg_repository hostclass

author: Cullum Smith <cullum@sacredheartsc.com> 2024-07-17 06:45:00 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-07-17 06:46:22 -0400
commit: f036b9c0da685d11e341d61e5aaeb75cac576111 (patch)
tree: 22b08ae6bb7e83d529fe49fe99ea8da87a8d25a4 /files
parent: 89cdd1c872694797a8f6f0185be2b2cd3467bfcc (diff)
download: infrastructure-f036b9c0da685d11e341d61e5aaeb75cac576111.tar.gz
15 files changed, 281 insertions, 3 deletions
diff --git a/files/etc/ssh/ssh_config.freebsd b/files/etc/ssh/ssh_config.freebsd
new file mode 100644
index 0000000..9be624a
--- /dev/null
+++ b/files/etc/ssh/ssh_config.freebsd
@@ -0,0 +1,9 @@
+CanonicalizeHostname always
+CanonicalizeMaxDots 0
+CanonicalDomains ${domain}
+CanonicalizePermittedCNAMEs *.${domain}:*.${domain}
+KnownHostsCommand /usr/local/libexec/idm-ssh-known-hosts %H
+
+Host *.${domain}
+  GSSAPIAuthentication yes
+  GSSAPIDelegateCredentials yes
diff --git a/files/etc/ssh/sshd_config.freebsd b/files/etc/ssh/sshd_config.freebsd
new file mode 100644
index 0000000..c933741
--- /dev/null
+++ b/files/etc/ssh/sshd_config.freebsd
@@ -0,0 +1,16 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+PermitRootLogin prohibit-password
+AuthorizedKeysFile .ssh/authorized_keys
+AuthorizedKeysCommand /usr/local/libexec/idm-ssh-authorized-keys %u
+AuthorizedKeysCommandUser ${ssh_authzkeys_user}
+
+KbdInteractiveAuthentication no
+PasswordAuthentication yes
+
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+UsePAM yes
+UseDNS no
+
+Subsystem	sftp	/usr/libexec/sftp-server
diff --git a/files/usr/local/etc/jailctl.conf.freebsd_hypervisor b/files/usr/local/etc/jailctl.conf.freebsd_hypervisor
index a3a37dc..0b51308 100644
--- a/files/usr/local/etc/jailctl.conf.freebsd_hypervisor
+++ b/files/usr/local/etc/jailctl.conf.freebsd_hypervisor
@@ -5,7 +5,7 @@ JAIL_DATASET='${hypervisor_jail_dataset}'
 TRUNK_INTERFACE='${hypervisor_trunk_interface}'
 
 DEFAULT_DOMAIN='${domain}'
-DEFAULT_NAMESERVERS='${resolvers:-1.1.1.1}'
+DEFAULT_NAMESERVERS='1.1.1.1'
 DEFAULT_VLAN='${hypervisor_default_vlan}'
 DEFAULT_NETMASK='$(prefix2netmask "$hypervisor_default_prefix")'
 DEFAULT_OS_QUOTA='${hypervisor_default_os_quota}'
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
new file mode 100644
index 0000000..b0a9a06
--- /dev/null
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -0,0 +1,44 @@
+worker_processes      ${nginx_worker_processes};
+worker_rlimit_nofile  ${nginx_nofile};
+
+events {
+  worker_connections  ${nginx_worker_connections};
+}
+
+http {
+  include       mime.types;
+  default_type  application/octet-stream;
+  index         index.html;
+
+  aio                   threads;
+  aio_write             on;
+  sendfile              on;
+  directio              4m;
+  tcp_nopush            on;
+  tcp_nodelay           on;
+  keepalive_timeout     65;
+  types_hash_max_size   2048;
+  server_tokens         off;
+  client_max_body_size  5m;
+  charset               utf-8;
+  gzip                  on;
+  gzip_http_version     1.0;
+  gzip_types            text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;
+
+  proxy_buffers            64 32k;
+  proxy_busy_buffers_size  64k;
+  fastcgi_buffers          64 32k;
+
+  ssl_session_timeout        1d;
+  ssl_session_cache          shared:SSL:10m;
+  ssl_session_tickets        off;
+  ssl_protocols              TLSv1.3;
+  ssl_prefer_server_ciphers  off;
+
+  map \$http_upgrade \$connection_upgrade {
+    default upgrade;
+    '' keep-alive;
+  }
+
+	include vhosts.conf;
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
new file mode 100644
index 0000000..8177626
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository
@@ -0,0 +1,47 @@
+server {
+  listen       0.0.0.0:80 default_server;
+  listen       [::]:80 default_server;
+  server_name  ${fqdn};
+  root         ${poudriere_data_dir}/data/packages;
+
+  include mime.types;
+  types {
+    text/plain  log;
+  }
+
+  location /poudriere/ {
+    alias /usr/local/share/poudriere/html/;
+
+    # Allow caching static resources
+    location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|woff|css|js|html)$ {
+      add_header Cache-Control "public";
+      expires 2d;
+    }
+
+    location /poudriere/data {
+      alias ${poudriere_data_dir}/data/logs/bulk;
+
+      # Allow caching dynamic files but ensure they get rechecked
+      location ~* ^.+\.(log|txz|tbz|bz2|gz)$ {
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+      }
+
+      # Don't log json requests as they come in frequently and ensure
+      # caching works as expected
+      location ~* ^.+\.(json)$ {
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+        access_log off;
+        log_not_found off;
+      }
+
+      # Allow indexing only in log dirs
+      location ~ /poudriere/data/?.*/(logs|latest-per-pkg)/ {
+        autoindex on;
+      }
+    }
+  }
+
+  location / {
+    autoindex on;
+  }
+}
diff --git a/files/usr/local/etc/pkg/repos/FreeBSD.conf.common b/files/usr/local/etc/pkg/repos/FreeBSD.conf.common
new file mode 100644
index 0000000..22521b5
--- /dev/null
+++ b/files/usr/local/etc/pkg/repos/FreeBSD.conf.common
@@ -0,0 +1 @@
+FreeBSD: { enabled: no }
diff --git a/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository b/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository
new file mode 100644
index 0000000..ec75151
--- /dev/null
+++ b/files/usr/local/etc/pkg/repos/onprem.conf.pkg_repository
@@ -0,0 +1,5 @@
+${site}: {
+  enabled: yes,
+  url: "file://${poudriere_data_dir}/data/packages/\${ABI}/latest",
+  signature_type: "none",
+}
diff --git a/files/usr/local/etc/poudriere.conf.pkg_repository b/files/usr/local/etc/poudriere.conf.pkg_repository
new file mode 100644
index 0000000..bc9ca75
--- /dev/null
+++ b/files/usr/local/etc/poudriere.conf.pkg_repository
@@ -0,0 +1,16 @@
+ZPOOL=${poudriere_dataset%%/*}
+ZROOTFS=/${poudriere_dataset#*/}/poudriere
+FREEBSD_HOST=https://download.freebsd.org
+RESOLV_CONF=/etc/resolv.conf
+BASEFS=${poudriere_data_dir}
+POUDRIERE_DATA=\${BASEFS}/data
+PARALLEL_JOBS=${poudriere_jobs}
+USE_PORTLINT=no
+USE_TMPFS=yes
+DISTFILES_CACHE=/usr/ports/distfiles
+PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/repo.key
+URL_BASE=http://${fqdn}/poudriere/
+ALLOW_MAKE_JOBS_PACKAGES='${poudriere_allow_make_jobs_packages:-}'
+PRIORITY_BOOST='${poudriere_priority_boost:-}'
+CCACHE_DIR=\${BASEFS}/ccache
+CCACHE_DIR_NON_ROOT_SAFE=yes
diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
new file mode 100644
index 0000000..8348621
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository
@@ -0,0 +1,83 @@
+CFLAGS=-O2 -pipe
+DISABLE_LICENSES=yes
+DEFAULT_VERSIONS+=${poudriere_default_versions:-}
+MAKE_JOBS_NUMBER=${poudriere_make_jobs_number}
+
+# Global port options
+OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE
+OPTIONS_SET=GSSAPI GSSAPI_MIT NONFREE LIBEDIT
+
+# Per-port options
+databases_akonadi_SET=MYSQL
+databases_luadbi_SET=PGSQL
+databases_postgresql15-client_SET=PAM
+databases_postgresql15-server_SET=PAM
+devel_gitolite_SET=GITUSER
+devel_kio-extras_UNSET=AFC
+devel_librelp_UNSET=GNUTLS
+devel_libudev_devd_SET=GPL
+devel_py-hypothesis_UNSET=CLI CODEMODS DATEUTIL DJANGO DPCONTRACTS GHOSTWRITER LARK NUMPY PANDAS PYTEST PYTZ REDIS
+devel_qca_SET=SASL
+dns_powerdns_SET=OPENLDAP
+dns_powerdns_UNSET=PGSQL SQLITE3
+dns_unbound_SET=TFOCL TFOSE
+dns_unbound_UNSET=DOH
+editors_libreoffice_SET=KF5 PDFIUM
+editors_vim_SET=CTAGS_EXUBERANT XTERM_SAVE
+editors_vim_UNSET=CTAGS_BASE
+finance_gnucash_UNSET=AQBANKING
+graphics_vips_UNSET=MATIO
+irc_znc_SET=CYRUS
+lang_lua53_SET=LIBEDIT_DL
+lang_lua53_UNSET=LIBEDIT
+lang_lua54_SET=LIBEDIT_DL
+lang_lua54_UNSET=LIBEDIT
+mail_dovecot-pigeonhole_SET=LDAP
+mail_dovecot_SET=SOLR LDAP
+mail_mutt_UNSET=HTML
+mail_postfix_SET=LDAP SASL SASLKRB5
+mail_rspamd_SET=HYPERSCAN
+misc_kdeutils_UNSET=KFLOPPY KTEATIME
+multimedia_ffmpeg_SET=OPENSSL
+multimedia_ffmpeg_UNSET=GNUTLS
+multimedia_kdemultimedia_UNSET=KDENLIVE
+multimedia_qt6-multimedia_SET=ALSA
+multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM
+net-im_dino_UNSET=RTP
+net-im_py-matrix-synapse_SET=PGSQL URLPREVIEW LDAP
+net_asterisk18_SET=NEWG711 G729 NCURSES
+net_asterisk18_UNSET=DAHDI FREETDS RADIUS NEWT
+net_freeradius3_SET=LDAP MITKRB_PORT
+net_freerdp_SET=OPENH264
+net_kdenetwork_UNSET=FILESHARING KOPETE KRFB
+net_openldap26-server_SET=DEBUG
+net_openldap26-server_UNSET=SMBPWD
+print_cups-filters_UNSET=COLORD
+print_freetype2_SET=LCD_FILTERING
+print_freetype2_UNSET=LCD_RENDERING
+security_cyrus-sasl2-saslauthd_UNSET=BDB1
+security_heimdal-devel_SET=LDAP
+security_heimdal-devel_UNSET=BDB
+security_heimdal_SET=LDAP
+security_heimdal_UNSET=BDB
+security_kf5-kdesu_SET=SUDO
+security_kf5-kdesu_UNSET=SU
+security_krb5_SET=DNS_FOR_REALM
+security_krb5_UNSET=KRB5_HTML KRB5_PDF
+security_pinentry-qt5_SET=LIBSECRET
+security_sudo_SET=LDAP
+security_sudo_UNSET=GSSAPI_MIT
+security_vaultwarden_SET=PGSQL
+shells_bash_UNSET=PORTS_READLINE
+sysutils_htop_SET=LSOF
+sysutils_k3b_UNSET=EMOVIX VCDIMAGER
+sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL
+sysutils_rsyslog8_UNSET=GCRYPT
+www_chromium_SET=WIDEVINE
+www_firefox_UNSET=PROFILE JACK
+www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP
+www_nginx_UNSET=MAIL
+www_qt5-webengine_SET=ALSA
+x11-toolkits_gtk30_UNSET=COLORD BROADWAY
+x11_kde5_UNSET=KDEADMIN KDEEDU KDEGAMES
+x11_libinput_UNSET=LIBWACOM
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
new file mode 100644
index 0000000..80fc5e5
--- /dev/null
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -0,0 +1,33 @@
+devel/ccache
+devel/git@lite
+dns/bind-tools
+dns/nsd
+dns/powerdns
+dns/unbound
+editors/vim@console
+editors/vim@tiny
+lang/python
+net/nss-pam-ldapd-sasl
+net/openldap26-client
+net/openldap26-server
+net/p5-perl-ldap
+net/py-python-ldap
+net/rsync
+ports-mgmt/poudriere
+security/acme.sh
+security/cyrus-sasl2-saslauthd
+security/kstart
+security/krb5@default
+security/krb5@ldap
+security/pam_krb5@mit
+security/pam_mkhomedir
+security/sshpass
+security/sudo
+sysutils/htop
+sysutils/lsof
+sysutils/p5-Sys-Syslog
+sysutils/pwgen
+sysutils/stow
+sysutils/tmux
+sysutils/tree
+www/nginx
diff --git a/files/usr/local/etc/ssl/repo.crt.readme b/files/usr/local/etc/ssl/repo.crt.readme
new file mode 100644
index 0000000..1c1ad53
--- /dev/null
+++ b/files/usr/local/etc/ssl/repo.crt.readme
@@ -0,0 +1,3 @@
+Generate this file using:
+
+    openssl rsa -in site/files/usr/local/etc/ssl/repo.key.pkg_repository -pubout -out site/files/usr/local/etc/ssl/repo.crt.freebsd
diff --git a/files/usr/local/etc/ssl/repo.key.readme b/files/usr/local/etc/ssl/repo.key.readme
new file mode 100644
index 0000000..3b14bc6
--- /dev/null
+++ b/files/usr/local/etc/ssl/repo.key.readme
@@ -0,0 +1,4 @@
+Generate this file using:
+
+    openssl genrsa -out site/files/usr/local/etc/ssl/repo.key.pkg_repository 4096
+    ./vault encrypt site/files/usr/local/etc/ssl/repo.key.pkg_repository
diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository
new file mode 100644
index 0000000..f0291ec
--- /dev/null
+++ b/files/usr/local/libexec/poudriere-cron.pkg_repository
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -eu -o pipefail
+
+ports_tree=latest
+
+# update ports tree
+poudriere ports -u -p "$ports_tree" > /dev/null
+
+for jail in "$@"; do
+  poudriere jail -u -j "$jail" > /dev/null
+  poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null
+done
+
+poudriere distclean -p "$ports_tree" -a -y > /dev/null
+poudriere logclean -N 5 -p "$ports_tree" -y > /dev/null
diff --git a/files/usr/local/poudriere/ccache/ccache.conf.pkg_repository b/files/usr/local/poudriere/ccache/ccache.conf.pkg_repository
new file mode 100644
index 0000000..6c725c8
--- /dev/null
+++ b/files/usr/local/poudriere/ccache/ccache.conf.pkg_repository
@@ -0,0 +1 @@
+max_size = ${poudriere_ccache_size}
diff --git a/files/usr/local/sbin/jailctl.freebsd_hypervisor b/files/usr/local/sbin/jailctl.freebsd_hypervisor
index 03ed563..df48f57 100644
--- a/files/usr/local/sbin/jailctl.freebsd_hypervisor
+++ b/files/usr/local/sbin/jailctl.freebsd_hypervisor
@@ -1072,8 +1072,8 @@ template::download_release(){
 
 template::release2name(){
   # Convert a FreeBSD release version to a template name.
-  # e.g. for "13.2-RELEASE", return "freebsd13".
-  setvar "$1" "freebsd${2%.*}"
+  # e.g. for "13.2-RELEASE", return "freebsd13.2".
+  setvar "$1" "freebsd${2%-*}"
 }
 
 template::update_release(){
author	Cullum Smith <cullum@sacredheartsc.com>	2024-07-17 06:45:00 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-07-17 06:46:22 -0400
commit	f036b9c0da685d11e341d61e5aaeb75cac576111 (patch)
tree	22b08ae6bb7e83d529fe49fe99ea8da87a8d25a4 /files
parent	89cdd1c872694797a8f6f0185be2b2cd3467bfcc (diff)
download	infrastructure-f036b9c0da685d11e341d61e5aaeb75cac576111.tar.gz