diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-31 21:36:39 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-31 21:36:39 -0400 |
| commit | 2c9845db4bc00221bc3c2343a020208f7f532166 (patch) | |
| tree | 843bc24a1bbf2cad33c4bdc8a17c3d0d838fceb4 /scripts/hostclass | |
| parent | 7eb111136453d0e8d8451d7dd85ba9892318f294 (diff) | |
| download | infrastructure-2c9845db4bc00221bc3c2343a020208f7f532166.tar.gz | |
many fixes
Diffstat (limited to 'scripts/hostclass')
| -rw-r--r-- | scripts/hostclass/asterisk_server | 7 | ||||
| -rw-r--r-- | scripts/hostclass/bitwarden_server | 1 | ||||
| -rw-r--r-- | scripts/hostclass/dav_server | 12 | ||||
| -rw-r--r-- | scripts/hostclass/desktop | 17 | ||||
| -rw-r--r-- | scripts/hostclass/idm_server/90-idm | 5 | ||||
| -rw-r--r-- | scripts/hostclass/nfs_server/10-nfs | 1 | ||||
| -rw-r--r-- | scripts/hostclass/pkg_repository | 10 | ||||
| -rw-r--r-- | scripts/hostclass/public_webserver | 6 | ||||
| -rw-r--r-- | scripts/hostclass/smtp_server/20-postfix | 5 | ||||
| -rw-r--r-- | scripts/hostclass/unifi_controller | 4 | ||||
| -rw-r--r-- | scripts/hostclass/xmpp_server | 28 |
11 files changed, 66 insertions, 30 deletions
diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index dcd2675..30699d8 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -34,6 +34,8 @@ asterisk_public_tls_cert="${acme_cert_dir}/asterisk.crt" asterisk_public_tls_key="${acme_cert_dir}/asterisk.key" asterisk_conf_dir=/usr/local/etc/asterisk +asterisk_sound_dir=/usr/local/share/asterisk/sounds/en +asterisk_g722_tarball=https://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-g722-current.tar.gz asterisk_db_dir=/var/db/asterisk asterisk_user=asterisk @@ -50,6 +52,11 @@ zfs set \ "${state_dataset}/asterisk" install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir" +# Download G722 sounds. +if ! [ -f "${asterisk_sound_dir}/hello-world.g722" ]; then + curl -fL "$asterisk_g722_tarball" | tar xf - -C "$asterisk_sound_dir" +fi + # Generate asterisk configuration. install_file -m 0644 \ "${asterisk_conf_dir}/extensions.conf" \ diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server index ff67c3e..f300b0d 100644 --- a/scripts/hostclass/bitwarden_server +++ b/scripts/hostclass/bitwarden_server @@ -15,6 +15,7 @@ vaultwarden_client_keytab="${keytab_dir}/vaultwarden.client.keytab" pkg install -y \ vaultwarden \ + ca_root_nss \ nginx # Create vaultwarden principal and keytab. diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server index a69c072..e39b08c 100644 --- a/scripts/hostclass/dav_server +++ b/scripts/hostclass/dav_server @@ -9,6 +9,7 @@ : ${davical_branch:='master'} : ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'} : ${davical_awl_branch:='master'} +: ${davical_admins:=''} davical_dn="uid=${davical_username},${robots_basedn}" davical_repo_dir=/usr/local/www/davical @@ -105,6 +106,17 @@ if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then davical_psql -c "delete from usr where username = 'admin'" fi +if [ -n "$davical_admins" ]; then + # Note: This won't work until each admin in $davical_admins has logged in + # at least once. + davical_psql -c \ + "INSERT INTO role_member (user_no, role_no) + SELECT user_no, (SELECT role_no FROM roles WHERE role_name = 'Admin') + FROM usr + WHERE username in ('$(join "','" $davical_admins)') + ON CONFLICT DO NOTHING" +fi + # Copy TLS certificate for nginx. install_certificate nginx "$davical_https_cert" install_certificate_key nginx "$davical_https_key" diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index bddce05..629ebc0 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -27,13 +27,14 @@ set_loader_conf \ linux_load=YES \ linux64_load=YES +# Enable FUSE. +set_loader_conf fusefs_load=YES + # Install packages common to all DEs. pkg install -y $desktop_common_packages -# Install scripts for creating local (non-NFS) home directories. -install_file -m 0555 \ - /usr/local/libexec/pam-create-local-homedir \ - /etc/profile.d/local-homedir.sh +# Install profile script for improving experience on NFS homedirs. +install_file -m 0555 /etc/profile.d/local-homedir.sh # Create ZFS dataset for local homedirs. create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" @@ -66,6 +67,9 @@ service webcamd status || service webcamd start install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop install_file -m 0555 /usr/local/libexec/nss-trust-root-ca +# Install gajim desktop file. +install_file -m 0644 /usr/local/share/applications/gajim.desktop + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -97,6 +101,11 @@ case $desktop_type in /usr/local/etc/xdg/plasma-workspace/shutdown install_file -m 0555 /usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh + # Disable user switching + # Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452 + # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175 + install_file -m 0644 /usr/local/etc/xdg/kdeglobals + # Enable sddm. sysrc -v sddm_enable=YES ;; diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm index eadd621..260e52b 100644 --- a/scripts/hostclass/idm_server/90-idm +++ b/scripts/hostclass/idm_server/90-idm @@ -68,11 +68,12 @@ pkg install -y \ pam_mkhomedir # Configure PAM/NSS integration. +install_template -m 0644 \ + /etc/pam.d/login \ + /etc/pam.d/sshd install_file -m 0644 \ /etc/nsswitch.conf \ /etc/pam.d/system \ - /etc/pam.d/login \ - /etc/pam.d/sshd \ /etc/pam.d/sudo \ /etc/pam.d/su \ /etc/pam.d/other diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs index a775859..6ab8436 100644 --- a/scripts/hostclass/nfs_server/10-nfs +++ b/scripts/hostclass/nfs_server/10-nfs @@ -48,3 +48,4 @@ install_template -m 0644 /etc/exports for service in gssd nfsuserd mountd nfsd; do service "$service" status || service "$service" start done +service mountd reload diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 7044f96..86e6b2c 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -83,9 +83,11 @@ for version in $poudriere_versions; do abi="FreeBSD:${version%%.*}:$(uname -p)" [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version" - poudriere jail -u -j "$jail" - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere jail -u -j "$jail" + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest -y install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}" ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest" @@ -102,7 +104,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere" # Create cron job to update packages automatically. install_file -m 0555 /usr/local/libexec/poudriere-cron -install_file -m 0644 /etc/cron.d/poudriere +install_template -m 0644 /etc/cron.d/poudriere # Now that we have a valid repo, switch the pkg repo to the local filesystem. install_directory -m 0755 \ diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index 3877313..e92149f 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -20,8 +20,8 @@ zfs set \ "${state_dataset}/vhosts" # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf -install -Cv -m 0644 /dev/null /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart @@ -37,7 +37,7 @@ for certname in $acme_certs; do done # Now that we have the ACME certs, add the vhosts. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" service nginx restart # If any acmeproxy_domains were specified, setup the SFTP proxy. diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 68ac474..795e574 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -38,10 +38,10 @@ ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab" # Generate postfix configuration. install_template -m 0644 \ "${postfix_conf_dir}/main.cf" \ + "${postfix_conf_dir}/master.cf" \ "${postfix_conf_dir}/virtual_mailboxes.cf" \ "${postfix_conf_dir}/virtual_aliases.cf" \ /usr/local/lib/sasl2/smtpd.conf -install_file -m 0644 "${postfix_conf_dir}/master.cf" # Allow postfix to read the saslauthd socket. install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir" @@ -54,10 +54,9 @@ if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -c "$postfix_public_tls_cert" \ - -k "$postfix_public_tls_key" \ -g "$postfix_user" \ -r 'sudo service postfix reload' \ + postfix \ "$postfix_public_fqdn" fi diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller index 9fd161e..96558e1 100644 --- a/scripts/hostclass/unifi_controller +++ b/scripts/hostclass/unifi_controller @@ -33,6 +33,10 @@ service unifi status && service unifi stop [ -f "${unifi_home}/data/keystore" ] || install -Cv -o "$unifi_user" -g "$unifi_user" -m 0600 /dev/null "${unifi_home}/data/keystore" su -m "$unifi_user" -c "java -jar ${unifi_home}/lib/ace.jar import_key_cert ${unifi_https_key} ${unifi_https_cert} ${site_cacert_path}" +# Add root CA to java keystore. +keytool -list -cacerts -storepass changeit -alias "$site" \ + || keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias "$site" -file "$site_cacert_path" + # Disable analytics. install_directory -m 0640 -o "$unifi_user" -g "$unifi_user" \ "${unifi_home}/data/sites" \ diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server index 1889447..667014f 100644 --- a/scripts/hostclass/xmpp_server +++ b/scripts/hostclass/xmpp_server @@ -7,7 +7,7 @@ : ${prosody_admins:=''} : ${prosody_public_fqdn:="$fqdn"} : ${prosody_domains:="$email_domain"} -: ${prosody_ldap_passwd:='changeme'} +: ${prosody_ldap_password:='changeme'} : ${prosody_dbname:='prosody'} : ${prosody_dbhost:="$postgres_host"} : ${prosody_access_role:='xmpp-access'} @@ -24,10 +24,11 @@ prosody_dn="uid=${prosody_username},${robots_basedn}" prosody_local_user=prosody prosody_conf_dir=/usr/local/etc/prosody prosody_certs_dir="${prosody_conf_dir}/certs" -prosody_keytab="${keytab_dir}/prosody.keytab" +prosody_keytab="${keytab_dir}/prosody.client.keytab" prosody_roster_path="${prosody_conf_dir}/roster.ini" prosody_http_port=8080 -prosody_upload_dir=/var/db/prosody/http_upload +prosody_db_dir=/var/db/prosody +prosody_upload_dir="${prosody_db_dir}/http_upload" prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt" prosody_https_cert="${acme_cert_dir}/nginx.crt" @@ -42,10 +43,8 @@ pkg install -y \ nginx # Create ZFS dataset for HTTP upload files. -create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload" - -# Set ownership on http_upload directory. -install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir" +create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody" +install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir" # Create prosody user private group. ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF @@ -98,27 +97,28 @@ install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody # Configure automatic roster. install_file -m 0555 /usr/local/libexec/prosody-update-roster install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini" -su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}" +su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}" # Copy prosody crontab. install_template -m 0644 /etc/cron.d/prosody # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart +# Retrieve webserver certificate via ACME. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -C "$prosody_https_cacert" \ - -c "$prosody_https_cert" \ - -k "$prosody_https_key" \ -g "$nginx_user" \ -r 'sudo service nginx reload' \ + nginx \ "$prosody_public_fqdn" -# Now that we have the ACME certs, add the nginx vhost. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +# Now that we have the ACME certs, add the vhosts. +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" +service nginx restart # Enable and start daemons. sysrc -v prosody_enable=YES |