diff options
53 files changed, 399 insertions, 144 deletions
diff --git a/files/etc/auto_master.common b/files/etc/auto_master.common index 37f3e34..d82114c 100644 --- a/files/etc/auto_master.common +++ b/files/etc/auto_master.common @@ -1,2 +1 @@ -/net -hosts -nobrowse,nosuid,intr +auto_master diff --git a/files/etc/cron.d/freeradius.radius_server b/files/etc/cron.d/freeradius.radius_server index 20f3ada..2081fbd 100644 --- a/files/etc/cron.d/freeradius.radius_server +++ b/files/etc/cron.d/freeradius.radius_server @@ -1,2 +1,2 @@ MAILTO=root -@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -vf {} + +@daily ${freeradius_user} find ${freeradius_tlscache_dir} -mindepth 1 -mtime +2 -exec rm -f {} + diff --git a/files/etc/cron.d/prosody.xmpp_server b/files/etc/cron.d/prosody.xmpp_server index b95f010..a73153a 100644 --- a/files/etc/cron.d/prosody.xmpp_server +++ b/files/etc/cron.d/prosody.xmpp_server @@ -1,3 +1,3 @@ MAILTO=root -0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-acme-proxy -q ${prosody_user}@${prosody_acme_host} ${prosody_domains} -0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path} +0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-acme-proxy -q ${prosody_username}@${prosody_acme_host} ${prosody_domains} +0 0 * * * * ${prosody_local_user} /usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path} diff --git a/files/etc/devfs.rules.desktop b/files/etc/devfs.rules.desktop index 4c10d43..ec38210 100644 --- a/files/etc/devfs.rules.desktop +++ b/files/etc/devfs.rules.desktop @@ -2,3 +2,4 @@ add path 'drm/*' mode 0660 group ${desktop_access_role} add path 'backlight/*' mode 0660 group ${desktop_access_role} add path 'video*' mode 0660 group ${desktop_access_role} +add path 'usb/*' mode 0660 group ${desktop_access_role} diff --git a/files/etc/login.access.freebsd b/files/etc/login.access.freebsd index c2d6fc1..ee83dd5 100644 --- a/files/etc/login.access.freebsd +++ b/files/etc/login.access.freebsd @@ -2,7 +2,10 @@ +:root:ALL +:${icinga_local_user}:ALL -$(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then +$(if [ -n "${acmeproxy_client_group:-}" ]; then + echo "+:(${acmeproxy_client_group}):ALL" +fi +if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then printf -- '-:ALL EXCEPT ' if [ -n "${login_access_groups:-}" ]; then printf '(%s) ' ${login_access_groups} diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd index ae50bbe..bb215ec 100644 --- a/files/etc/pam.d/login.freebsd +++ b/files/etc/pam.d/login.freebsd @@ -12,6 +12,11 @@ session required pam_lastlog.so no_fail session required pam_xdg.so session required /usr/local/lib/security/pam_krb5.so session optional /usr/local/lib/pam_mkhomedir.so mode=0700 +$(if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ] && [ "${enable_autofs:-}" != false ]; then +cat <<EOF +session optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +EOF +fi) password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd index 1f81b48..e00fb13 100644 --- a/files/etc/pam.d/sshd.freebsd +++ b/files/etc/pam.d/sshd.freebsd @@ -8,6 +8,11 @@ account required pam_unix.so session required /usr/local/lib/security/pam_krb5.so session required /usr/local/lib/pam_mkhomedir.so mode=0700 +$(if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ] && [ "${enable_autofs:-}" != false ]; then +cat <<EOF +session optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +EOF +fi) password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/usr/local/etc/asterisk/queues.conf.asterisk_server b/files/usr/local/etc/asterisk/queues.conf.asterisk_server index 87b8ed4..8849690 100644 --- a/files/usr/local/etc/asterisk/queues.conf.asterisk_server +++ b/files/usr/local/etc/asterisk/queues.conf.asterisk_server @@ -6,12 +6,12 @@ shared_lastcall = yes log_membername_as_agent = yes $(for queue in ${asterisk_queues:-}; do - eval "queue_strategy=\${asterisk_queue_${queue}_strategy}" + eval "queue_strategy=\${asterisk_queue_${queue}_strategy:-ringall}" eval "queue_timeout=\${asterisk_queue_${queue}_timeout:-15}" eval "queue_retry=\${asterisk_queue_${queue}_retry:-5}" eval "queue_ringinuse=\${asterisk_queue_${queue}_ringinuse:-yes}" - eval "queue_members=\${asterisk_queue_${queue}_members}" - echo "\ + eval "queue_members=\${asterisk_queue_${queue}_members:-}" + cat <<EOF [${queue}] strategy = ${queue_strategy} timeout = ${queue_timeout} @@ -24,8 +24,12 @@ periodic-announce-frequency = 0 joinempty = yes leavewhenempty = no ringinuse = ${queue_ringinuse} -timeoutrestart = yes" -for member in $queue_members; do - eval "member_name=\${asterisk_ext_${member}_cid_name}" - echo "member => PJSIP/${member},0,${member_name},PJSIP/${member}" -done; done) +timeoutrestart = yes +EOF + for member in $queue_members; do + eval "member_name=\${asterisk_ext_${member}_cid_name}" + cat <<EOF +member => PJSIP/${member},0,${member_name},PJSIP/${member} +EOF + done +done) diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.desktop b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop index 93544cf..1391d09 100644 --- a/files/usr/local/etc/chromium/policies/managed/policies.json.desktop +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop @@ -14,15 +14,6 @@ "CloudReportingEnabled": false, "DefaultBrowserSettingEnabled": false, "DefaultCookiesSetting": 1, - "DefaultSearchProviderEnabled": true, - "DefaultSearchProviderName": "DuckDuckGo", - "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", - "DefaultSearchProviderEncodings": [ - "UTF-8" - ], - "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", - "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", - "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", "DnsOverHttpsMode": "off", "EnableAuthNegotiatePort": true, "EnableMediaRouter": false, @@ -45,8 +36,44 @@ "toplevel_name": "Internal" }, { + "name": "Bitwarden", + "url": "https://bitwarden.${domain}/" + }, + { + "name": "CUPS", + "url": "https://cups.${domain}/" + }, + { + "name": "DAViCal", + "url": "https://dav.${domain}/" + }, + { + "name": "Icinga", + "url": "https://icinga.${domain}/" + }, + { + "name": "Invidious", + "url": "https://invidious.${domain}/" + }, + { "name": "Poudriere", "url": "http://pkg.${domain}/poudriere" + }, + { + "name": "Rspamd", + "url": "https://smtp.${domain}/" + }, + { + "name": "Tiny Tiny RSS", + "url": "https://ttrss.${domain}/" + }, + { + "name": "UniFi Controller", + "url": "https://unifi.${domain}/" + }, + { + "name": "ZNC", + "url": "https://znc.${domain}/" } ], "ExtensionSettings": { @@ -67,25 +94,22 @@ "extensions": { "cjpalhdlnbpafiamejdnhcphjbkeiagm": { "toOverwrite": { - "selectedFilterLists": [ + "filterLists": [ "user-filters", "ublock-filters", "ublock-badware", "ublock-privacy", - "ublock-abuse", + "ublock-quick-fixes", "ublock-unbreak", - "ublock-annoyances", - "ublock-cookies-easylist", - "fanboy-cookiemonster", "easylist", "easyprivacy", + "adguard-spyware-url", "urlhaus-1", "plowe-0", - "fanboy-annoyance", - "fanboy-social", + "fanboy-cookiemonster", + "ublock-cookies-easylist", "fanboy-thirdparty_social", - "adguard-spyware-url", - "ublock-quick-fixes" + "ublock-annoyances" ] }, "toAdd": { diff --git a/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server b/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server index fc939a6..6a7ce4e 100644 --- a/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server +++ b/files/usr/local/etc/dovecot/dovecot-ldap-userdb.conf.ext.imap_server @@ -6,11 +6,11 @@ sasl_realm = ${realm} base = ${users_basedn} user_filter = (|(mailAddress=%u)(uid=%u)) -user_attrs = \ - =user=%{ldap:uid}, \ - =uid=${dovecot_vmail_uid}, \ - =gid=${dovecot_vmail_uid}, \ - =home=${dovecot_vmail_dir}/%{ldap:uid} \ +user_attrs = \\ + =user=%{ldap:uid}, \\ + =uid=${dovecot_vmail_uid}, \\ + =gid=${dovecot_vmail_uid}, \\ + =home=${dovecot_vmail_dir}/%{ldap:uid}, \\ mailQuota=quota_rule=\*:storage=%{ldap:mailQuota} iterate_attrs = uid=user diff --git a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server index 4340192..116fe44 100644 --- a/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/services.conf.icinga_server @@ -219,6 +219,20 @@ apply Service "cups-cert" { assign where ("cups-servers" in host.groups) } +apply Service for (vhost in host.vars.xmpp_vhosts) { + check_command = "tcp" + name = vhost + "-xmpp" + display_name = vhost + " xmpp" + vars.tcp_port = 5223 + vars.tcp_ssl = true + vars.tcp_sni = vhost + vars.tcp_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} + vars.tcp_wtime = ${icinga_response_time_warn} + vars.tcp_ctime = ${icinga_response_time_crit} + vars.tcp_send = "<stream:stream to='" + vhost + "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'>" + vars.tcp_expect = "<?xml version='1.0'" +} + // Expect HTTP 200 apply Service "http" { check_command = "http" @@ -289,7 +303,6 @@ apply Service "https" { vars.http_warn_time = ${icinga_response_time_warn} vars.http_critical_time = ${icinga_response_time_crit} assign where ("pkg-repositories" in host.groups - || "xmpp-servers" in host.groups || "znc-servers" in host.groups || "bitwarden-servers" in host.groups) } @@ -331,7 +344,6 @@ apply Service "https-cert" { || "pkg-repositories" in host.groups || "unifi-controllers" in host.groups || "web-servers" in host.groups - || "xmpp-servers" in host.groups || "znc-servers" in host.groups || "bitwarden-servers" in host.groups || "dav-servers" in host.groups @@ -342,11 +354,11 @@ apply Service "https-cert" { && !host.vars.https_vhosts) } -// Expect HTTPS 200 +// Certificate validity apply Service for (vhost in host.vars.https_vhosts) { check_command = "http" - name = vhost + "-cert" - display_name = vhost + " certificate" + name = vhost + "-https-cert" + display_name = vhost + " https certificate" vars.http_vhost = vhost vars.http_expect = "HTTP/1.1 200 OK" vars.http_ssl = true @@ -354,13 +366,12 @@ apply Service for (vhost in host.vars.https_vhosts) { vars.http_certificate = ${icinga_cert_days_warn} + "," + ${icinga_cert_days_crit} } -// Certificate validity +// Expect HTTPS 200 apply Service for (vhost in host.vars.https_vhosts) { check_command = "http" - name = vhost - display_name = vhost + name = vhost + "-https-status" + display_name = vhost + " https status" vars.http_vhost = vhost - vars.http_expect = "HTTP/1.1 200 OK" vars.http_ssl = true vars.http_sni = true vars.http_expect = "HTTP/1.1 200 OK" diff --git a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server index 0ebe46e..cd1cda1 100644 --- a/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server +++ b/files/usr/local/etc/icinga2/conf.d/templates.conf.icinga_server @@ -7,8 +7,8 @@ template Host "generic-host" default { template Service "generic-service" default { max_check_attempts = 5 - check_interval = 1m - retry_interval = 30s + check_interval = 5m + retry_interval = 1m } template User "generic-user" default { diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server index 155c18c..72c0448 100644 --- a/files/usr/local/etc/postfix/main.cf.smtp_server +++ b/files/usr/local/etc/postfix/main.cf.smtp_server @@ -19,7 +19,6 @@ setgid_group = maildrop import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_KTNAME=${postfix_keytab} KRB5_CLIENT_KTNAME=${postfix_keytab} myorigin = ${postfix_myorigin} -myhostname = ${postfix_public_fqdn} mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 ${postfix_mynetworks} mydestination = @@ -100,6 +99,8 @@ smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination, diff --git a/files/usr/local/etc/postfix/master.cf.smtp_server b/files/usr/local/etc/postfix/master.cf.smtp_server index e0b5bbb..9dce9be 100644 --- a/files/usr/local/etc/postfix/master.cf.smtp_server +++ b/files/usr/local/etc/postfix/master.cf.smtp_server @@ -1,4 +1,5 @@ smtp inet n - n - - smtpd + -o myhostname=${postfix_public_fqdn} submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes @@ -16,7 +17,7 @@ proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp - -o syslog_name=postfix/$service_name + -o syslog_name=postfix/\$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 3a80736..a4677f4 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -4,7 +4,7 @@ DEFAULT_VERSIONS+=${poudriere_default_versions:-} MAKE_JOBS_NUMBER=${poudriere_make_jobs_number} # Global port options -OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL HEIMDAL_BASE NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE TCP_WRAPPERS COMPAT32 +OPTIONS_UNSET=TEST DEBUG GSSAPI_HEIMDAL GSSAPI_BASE GSSAPI_NONE HEIMDAL HEIMDAL_BASE NLS DOCS AVAHI LIBWRAP MYSQL MSQLND ODBC READLINE PULSEAUDIO UPNP BASH ZSH INFO ALSA SAMBA WAYLAND PLATFORM_WAYLAND PIPEWIRE TCP_WRAPPERS COMPAT32 JACK OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT # Per-port options @@ -87,6 +87,8 @@ sysutils_htop_SET=LSOF sysutils_k3b_UNSET=EMOVIX VCDIMAGER sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL sysutils_rsyslog8_UNSET=GCRYPT +textproc_en-hunspell_SET=US_LARGE +textproc_en-hunspell_UNSET=US_STANDARD www_chromium_SET=WIDEVINE www_firefox_UNSET=PROFILE JACK www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 8542c20..e90bc1b 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -4,7 +4,7 @@ archivers/php${php_version}-zip archivers/unzip archivers/zip audio/elisa -audio/juk +audio/gsound audio/kid3@kf5 audio/kmix audio/virtual_oss @@ -18,6 +18,8 @@ databases/php${php_version}-pgsql databases/postgresql${postgresql_version}-client databases/postgresql${postgresql_version}-server databases/redis +deskutils/py-vdirsyncer +devel/android-tools devel/ccache devel/cgit devel/electron30 @@ -71,7 +73,7 @@ multimedia/v4l-utils multimedia/v4l_compat multimedia/vdpauinfo multimedia/webcamd -net-im/dino +net-im/farstream net-im/gajim net-im/prosody net-im/prosody-modules @@ -115,6 +117,7 @@ security/sshpass security/sudo security/vaultwarden security/wpa_supplicant +sysutils/android-file-transfer-qt5 sysutils/cpu-microcode sysutils/htop sysutils/k3b @@ -129,6 +132,7 @@ sysutils/stow sysutils/tmux sysutils/tree sysutils/zfstools +textproc/en-hunspell textproc/hs-pandoc textproc/jq textproc/p5-YAML diff --git a/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server index 083a6ce..7936cac 100644 --- a/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server +++ b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server @@ -47,6 +47,8 @@ reload_modules = { "groups", "tls" } groups_file = "${prosody_roster_path}" s2s_secure_auth = true +c2s_direct_tls_ports = { ${prosody_c2s_tls_port} } +s2s_direct_tls_ports = { ${prosody_s2s_tls_port} } limits = { c2s = { diff --git a/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server b/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server index 7e38af5..da081e0 100644 --- a/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server +++ b/files/usr/local/etc/rspamd/local.d/logging.inc.smtp_server @@ -1,2 +1,2 @@ type = syslog; -facility = mail; +facility = daemon; diff --git a/files/usr/local/etc/xdg/kdeglobals.desktop b/files/usr/local/etc/xdg/kdeglobals.desktop new file mode 100644 index 0000000..5d121aa --- /dev/null +++ b/files/usr/local/etc/xdg/kdeglobals.desktop @@ -0,0 +1,5 @@ +# Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452 +# VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175 +[KDE Action Restrictions] +action/start_new_session=false +action/switch_user=false diff --git a/files/usr/local/etc/xdg/kdeglobals.laptop b/files/usr/local/etc/xdg/kdeglobals.laptop new file mode 120000 index 0000000..9c8c680 --- /dev/null +++ b/files/usr/local/etc/xdg/kdeglobals.laptop @@ -0,0 +1 @@ +kdeglobals.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop b/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop new file mode 120000 index 0000000..9c8c680 --- /dev/null +++ b/files/usr/local/etc/xdg/kdeglobals.roadwarrior_laptop @@ -0,0 +1 @@ +kdeglobals.desktop
\ No newline at end of file diff --git a/files/usr/local/lib/firefox/distribution/policies.json.desktop b/files/usr/local/lib/firefox/distribution/policies.json.desktop index de93355..aa2de1b 100644 --- a/files/usr/local/lib/firefox/distribution/policies.json.desktop +++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop @@ -22,25 +22,22 @@ "Extensions": { "uBlock0@raymondhill.net": { "toOverwrite": { - "selectedFilterLists": [ + "filterLists": [ "user-filters", "ublock-filters", "ublock-badware", "ublock-privacy", - "ublock-abuse", + "ublock-quick-fixes", "ublock-unbreak", - "ublock-annoyances", - "ublock-cookies-easylist", - "fanboy-cookiemonster", "easylist", "easyprivacy", + "adguard-spyware-url", "urlhaus-1", "plowe-0", - "fanboy-annoyance", - "fanboy-social", + "fanboy-cookiemonster", + "ublock-cookies-easylist", "fanboy-thirdparty_social", - "adguard-spyware-url", - "ublock-quick-fixes" + "ublock-annoyances" ] }, "toAdd": { @@ -115,8 +112,44 @@ "toplevel_name": "Intranet" }, { - "url": "http://pkg.${domain}/poudriere/", - "name": "Poudriere" + "name": "Bitwarden", + "url": "https://bitwarden.${domain}/" + }, + { + "name": "CUPS", + "url": "https://cups.${domain}/" + }, + { + "name": "DAViCal", + "url": "https://dav.${domain}/" + }, + { + "name": "Icinga", + "url": "https://icinga.${domain}/" + }, + { + "name": "Invidious", + "url": "https://invidious.${domain}/" + }, + { + "name": "Poudriere", + "url": "http://pkg.${domain}/poudriere" + }, + { + "name": "Rspamd", + "url": "https://smtp.${domain}/" + }, + { + "name": "Tiny Tiny RSS", + "url": "https://ttrss.${domain}/" + }, + { + "name": "UniFi Controller", + "url": "https://unifi.${domain}/" + }, + { + "name": "ZNC", + "url": "https://znc.${domain}/" } ], "ExtensionUpdate": true, diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.desktop b/files/usr/local/lib/libreoffice/program/sofficerc.desktop index 77574a4..2a600b0 100644 --- a/files/usr/local/lib/libreoffice/program/sofficerc.desktop +++ b/files/usr/local/lib/libreoffice/program/sofficerc.desktop @@ -1,8 +1,8 @@ [Bootstrap] CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash -CrashDumpEnable=true +CrashDumpEnable=false HideEula=1 -Logo=0 +Logo=1 NativeProgress=false ProgressBarColor=0,0,0 ProgressFrameColor=102,102,102 diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository index f7a5c1c..dce1830 100644 --- a/files/usr/local/libexec/poudriere-cron.pkg_repository +++ b/files/usr/local/libexec/poudriere-cron.pkg_repository @@ -15,9 +15,11 @@ for patch in /usr/local/etc/poudriere.d/patches/*.patch; do done for jail in "$@"; do - poudriere jail -u -j "$jail" > /dev/null - poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm > /dev/null - poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null + poudriere jail -u -j "$jail" > /dev/null + poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm > /dev/null + poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm -y > /dev/null + poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null + poudriere pkgclean -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" -y > /dev/null done poudriere distclean -p "$ports_tree" -a -y > /dev/null diff --git a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server index d69017b..70faddd 100644 --- a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server +++ b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server @@ -37,7 +37,7 @@ md5_old=$(cat "$CHECKSUM_FILE") printf 'get certs/%s.crt\n' "$@" printf 'get certs/%s.key\n' "$@" printf 'quit\n' -} | sftp -b - "$acmeproxy_target" +} | /usr/local/bin/sftp -b - "$acmeproxy_target" # Get md5 of the new certificates. md5_new=$(md5sum "$CERT_DIR"/*.crt "$CERT_DIR"/*.key | tee "$CHECKSUM_FILE") diff --git a/files/usr/local/libexec/prosody-update-roster.xmpp_server b/files/usr/local/libexec/prosody-update-roster.xmpp_server index 1b79747..84c0c6e 100644 --- a/files/usr/local/libexec/prosody-update-roster.xmpp_server +++ b/files/usr/local/libexec/prosody-update-roster.xmpp_server @@ -6,8 +6,9 @@ use warnings; use Net::LDAP; use Authen::SASL; -@ARGV == 1 or die "usage: $0 ROLE_NAME\n"; +@ARGV == 2 or die "usage: $0 ROLE_NAME ROSTER_FILE\n"; my $role = $ARGV[0]; +my $roster = $ARGV[1]; open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!); my %config; @@ -25,7 +26,7 @@ my $uri = $config{URI} // die("URI not specified\n"); my $users_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); my $roles_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n"); -my $conn = Net::LDAP->new($ldap_uris, version => '3') or die "$@"; +my $conn = Net::LDAP->new($uri, version => '3') or die "$@"; my $sasl = Authen::SASL->new($mech); my $status = $conn->bind(sasl => $sasl); $status->code and die $status->error; @@ -36,12 +37,13 @@ my $search = $conn->search( filter => "(&(memberOf=cn=$role,$roles_basedn)(mailAddress=*))", attrs => ['mailAddress', 'cn']); -print "[Internal]\n"; - +open $fh, '>', $roster or die "failed to open file for writing: $roster\n"; +print $fh "[Internal]\n"; foreach my $entry ($search->entries) { my $jid = ($entry->get_value('mailAddress'))[0]; my $cn = ($entry->get_value('cn'))[0] // $jid; - print "$jid=$cn\n"; + print $fh "$jid=$cn\n"; } +close $fh; system('prosodyctl reload'); diff --git a/files/usr/local/sbin/jailctl.freebsd_hypervisor b/files/usr/local/sbin/jailctl.freebsd_hypervisor index df48f57..8719297 100644 --- a/files/usr/local/sbin/jailctl.freebsd_hypervisor +++ b/files/usr/local/sbin/jailctl.freebsd_hypervisor @@ -193,14 +193,14 @@ Options: zfs create -v "${JAIL_DATASET}/${name}" zfs clone \ $ZFS_OPTS \ - -o quota="$os_quota" \ + -o refquota="$os_quota" \ "$snapshot" "${JAIL_DATASET}/${name}/os" # Create delegated 'data' dataset. zfs create -v \ $ZFS_OPTS \ -o mountpoint=none \ - -o quota="$data_quota" \ + -o refquota="$data_quota" \ "${JAIL_DATASET}/${name}/data" # Copy timezone configuration from host. @@ -761,7 +761,7 @@ cmd::reprovision(){ zfs::ensure_snapshot snapshot "${JAIL_DATASET}/templates/${template}" # Stash old configuration data. - old_quota=$(zfs get -Hp -o value quota "${JAIL_DATASET}/${jail}/os") + old_quota=$(zfs get -Hp -o value refquota "${JAIL_DATASET}/${jail}/os") old_hostname=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn hostname) old_ifconfig=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn ifconfig_jail0) old_defaultrouter=$(sysrc -f "${JAIL_HOME}/${jail}/os/etc/rc.conf" -qn defaultrouter) ||: @@ -773,7 +773,7 @@ cmd::reprovision(){ zfs destroy -v -f -r "${JAIL_DATASET}/${jail}/os" zfs clone \ $ZFS_OPTS \ - -o quota="$old_quota" \ + -o refquota="$old_quota" \ "$snapshot" "${JAIL_DATASET}/${jail}/os" # Copy timezone configuration from host. @@ -839,7 +839,7 @@ cmd::shell(){ jail::exists "$jail" || die "no such jail: ${jail}" jail::running "$jail" || die "jail not running: ${jail}" - jail::exec "$jail" /bin/csh + jail::exec "$jail" /bin/sh } cmd::show(){ @@ -857,7 +857,7 @@ cmd::show(){ printf -- '------------------------- JAIL CONFIGURATION -------------------------\n' cat "${JAIL_HOME}/${jail}/jail.conf" printf -- '\n---------------------------- ZFS DATASET -----------------------------\n' - zfs list -o name,quota,used,avail,mountpoint -S name \ + zfs list -o name,refquota,used,avail,mountpoint -S name \ "${JAIL_DATASET}/${jail}/os" \ "${JAIL_DATASET}/${jail}/data" } @@ -878,7 +878,7 @@ cmd::status(){ printf -- '---------------------------- JAIL STATUS -----------------------------\n' jls -j "$jail" -h jid name path osrelease host.hostname 2>/dev/null | column -t printf -- '\n---------------------------- ZFS DATASET -----------------------------\n' - zfs list -o name,quota,used,avail,mountpoint -S name \ + zfs list -o name,refquota,used,avail,mountpoint -S name \ "${JAIL_DATASET}/${jail}/os" \ "${JAIL_DATASET}/${jail}/data" \ | sed "s|^${JAIL_DATASET}/${jail}/||" \ diff --git a/files/usr/local/share/applications/gajim.desktop.desktop b/files/usr/local/share/applications/gajim.desktop.desktop new file mode 100644 index 0000000..ef5a3c9 --- /dev/null +++ b/files/usr/local/share/applications/gajim.desktop.desktop @@ -0,0 +1,20 @@ +[Desktop Entry] +Categories=Network;InstantMessaging;GTK;Chat; +Name=Gajim +GenericName=XMPP Chat Client +Comment=A fully-featured XMPP chat client +Keywords=chat;messaging;im;xmpp;voip; +Exec=gajim %u +Icon=org.gajim.Gajim +StartupNotify=false +X-GNOME-SingleWindow=true +X-GNOME-UsesNotifications=true +Terminal=false +Type=Application +MimeType=x-scheme-handler/xmpp; +Actions=StartChat; + +[Desktop Action StartChat] +Exec=gajim --start-chat +Name=Start a new chat +Icon=org.gajim.Gajim diff --git a/files/usr/local/share/applications/gajim.desktop.laptop b/files/usr/local/share/applications/gajim.desktop.laptop new file mode 120000 index 0000000..f1edc09 --- /dev/null +++ b/files/usr/local/share/applications/gajim.desktop.laptop @@ -0,0 +1 @@ +gajim.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop b/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop new file mode 120000 index 0000000..f1edc09 --- /dev/null +++ b/files/usr/local/share/applications/gajim.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +gajim.desktop.desktop
\ No newline at end of file @@ -5,7 +5,7 @@ set -eu PROGNAME=pki -USAGE="<init|cert|client-cert|renew>" +USAGE="<init|cert|client-cert|renew|pkcs12|show>" BOXCONF_ROOT=$(dirname "$(readlink -f "$0")") BOXCONF_CA_PASSWORD_FILE="${BOXCONF_ROOT}/.ca_password" @@ -342,6 +342,36 @@ pki_renew(){ _pki_renew "${1}/${2}" "${days:-}" } +pki_pkcs12(){ + # Generate a pkcs12 bundle. + USAGE='pkcs12 HOSTNAME CERTNAME PATH' + [ $# -eq 3 ] || usage + + [ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt" + [ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key" + + _boxconf_get_vault_password + + PASS="$BOXCONF_VAULT_PASSWORD" openssl pkcs12 -legacy -export \ + -out "$3" \ + -inkey "${BOXCONF_CA_DIR}/${1}/${2}.key" \ + -in "${BOXCONF_CA_DIR}/${1}/${2}.crt" \ + -name "$2" \ + -passin env:PASS +} + +pki_show(){ + # Show a certificate and decrypted private key. + USAGE='show HOSTNAME CERTNAME' + [ -f "${BOXCONF_CA_DIR}/${1}/${2}.crt" ] || die "certificate does not exist: ${1}/${2}.crt" + [ -f "${BOXCONF_CA_DIR}/${1}/${2}.key" ] || die "key does not exist: ${1}/${2}.key" + + _boxconf_get_vault_password + + cat "${BOXCONF_CA_DIR}/${1}/${2}.crt" + _boxconf_decrypt_key "${BOXCONF_CA_DIR}/${1}/${2}.key" +} + [ $# -ge 1 ] || usage action=$1; shift @@ -354,5 +384,7 @@ case $action in server-cert|server|cert) pki_server "$@" ;; client-cert|client) pki_client "$@" ;; renew) pki_renew "$@" ;; + pkcs12) pki_pkcs12 "$@" ;; + show) pki_show "$@" ;; *) usage ;; esac diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index dcd2675..30699d8 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -34,6 +34,8 @@ asterisk_public_tls_cert="${acme_cert_dir}/asterisk.crt" asterisk_public_tls_key="${acme_cert_dir}/asterisk.key" asterisk_conf_dir=/usr/local/etc/asterisk +asterisk_sound_dir=/usr/local/share/asterisk/sounds/en +asterisk_g722_tarball=https://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-g722-current.tar.gz asterisk_db_dir=/var/db/asterisk asterisk_user=asterisk @@ -50,6 +52,11 @@ zfs set \ "${state_dataset}/asterisk" install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir" +# Download G722 sounds. +if ! [ -f "${asterisk_sound_dir}/hello-world.g722" ]; then + curl -fL "$asterisk_g722_tarball" | tar xf - -C "$asterisk_sound_dir" +fi + # Generate asterisk configuration. install_file -m 0644 \ "${asterisk_conf_dir}/extensions.conf" \ diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server index ff67c3e..f300b0d 100644 --- a/scripts/hostclass/bitwarden_server +++ b/scripts/hostclass/bitwarden_server @@ -15,6 +15,7 @@ vaultwarden_client_keytab="${keytab_dir}/vaultwarden.client.keytab" pkg install -y \ vaultwarden \ + ca_root_nss \ nginx # Create vaultwarden principal and keytab. diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server index a69c072..e39b08c 100644 --- a/scripts/hostclass/dav_server +++ b/scripts/hostclass/dav_server @@ -9,6 +9,7 @@ : ${davical_branch:='master'} : ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'} : ${davical_awl_branch:='master'} +: ${davical_admins:=''} davical_dn="uid=${davical_username},${robots_basedn}" davical_repo_dir=/usr/local/www/davical @@ -105,6 +106,17 @@ if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then davical_psql -c "delete from usr where username = 'admin'" fi +if [ -n "$davical_admins" ]; then + # Note: This won't work until each admin in $davical_admins has logged in + # at least once. + davical_psql -c \ + "INSERT INTO role_member (user_no, role_no) + SELECT user_no, (SELECT role_no FROM roles WHERE role_name = 'Admin') + FROM usr + WHERE username in ('$(join "','" $davical_admins)') + ON CONFLICT DO NOTHING" +fi + # Copy TLS certificate for nginx. install_certificate nginx "$davical_https_cert" install_certificate_key nginx "$davical_https_key" diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index bddce05..629ebc0 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -27,13 +27,14 @@ set_loader_conf \ linux_load=YES \ linux64_load=YES +# Enable FUSE. +set_loader_conf fusefs_load=YES + # Install packages common to all DEs. pkg install -y $desktop_common_packages -# Install scripts for creating local (non-NFS) home directories. -install_file -m 0555 \ - /usr/local/libexec/pam-create-local-homedir \ - /etc/profile.d/local-homedir.sh +# Install profile script for improving experience on NFS homedirs. +install_file -m 0555 /etc/profile.d/local-homedir.sh # Create ZFS dataset for local homedirs. create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" @@ -66,6 +67,9 @@ service webcamd status || service webcamd start install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop install_file -m 0555 /usr/local/libexec/nss-trust-root-ca +# Install gajim desktop file. +install_file -m 0644 /usr/local/share/applications/gajim.desktop + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -97,6 +101,11 @@ case $desktop_type in /usr/local/etc/xdg/plasma-workspace/shutdown install_file -m 0555 /usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh + # Disable user switching + # Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452 + # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175 + install_file -m 0644 /usr/local/etc/xdg/kdeglobals + # Enable sddm. sysrc -v sddm_enable=YES ;; diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm index eadd621..260e52b 100644 --- a/scripts/hostclass/idm_server/90-idm +++ b/scripts/hostclass/idm_server/90-idm @@ -68,11 +68,12 @@ pkg install -y \ pam_mkhomedir # Configure PAM/NSS integration. +install_template -m 0644 \ + /etc/pam.d/login \ + /etc/pam.d/sshd install_file -m 0644 \ /etc/nsswitch.conf \ /etc/pam.d/system \ - /etc/pam.d/login \ - /etc/pam.d/sshd \ /etc/pam.d/sudo \ /etc/pam.d/su \ /etc/pam.d/other diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs index a775859..6ab8436 100644 --- a/scripts/hostclass/nfs_server/10-nfs +++ b/scripts/hostclass/nfs_server/10-nfs @@ -48,3 +48,4 @@ install_template -m 0644 /etc/exports for service in gssd nfsuserd mountd nfsd; do service "$service" status || service "$service" start done +service mountd reload diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 7044f96..86e6b2c 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -83,9 +83,11 @@ for version in $poudriere_versions; do abi="FreeBSD:${version%%.*}:$(uname -p)" [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version" - poudriere jail -u -j "$jail" - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere jail -u -j "$jail" + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest -y install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}" ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest" @@ -102,7 +104,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere" # Create cron job to update packages automatically. install_file -m 0555 /usr/local/libexec/poudriere-cron -install_file -m 0644 /etc/cron.d/poudriere +install_template -m 0644 /etc/cron.d/poudriere # Now that we have a valid repo, switch the pkg repo to the local filesystem. install_directory -m 0755 \ diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index 3877313..e92149f 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -20,8 +20,8 @@ zfs set \ "${state_dataset}/vhosts" # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf -install -Cv -m 0644 /dev/null /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart @@ -37,7 +37,7 @@ for certname in $acme_certs; do done # Now that we have the ACME certs, add the vhosts. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" service nginx restart # If any acmeproxy_domains were specified, setup the SFTP proxy. diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 68ac474..795e574 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -38,10 +38,10 @@ ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab" # Generate postfix configuration. install_template -m 0644 \ "${postfix_conf_dir}/main.cf" \ + "${postfix_conf_dir}/master.cf" \ "${postfix_conf_dir}/virtual_mailboxes.cf" \ "${postfix_conf_dir}/virtual_aliases.cf" \ /usr/local/lib/sasl2/smtpd.conf -install_file -m 0644 "${postfix_conf_dir}/master.cf" # Allow postfix to read the saslauthd socket. install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir" @@ -54,10 +54,9 @@ if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -c "$postfix_public_tls_cert" \ - -k "$postfix_public_tls_key" \ -g "$postfix_user" \ -r 'sudo service postfix reload' \ + postfix \ "$postfix_public_fqdn" fi diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller index 9fd161e..96558e1 100644 --- a/scripts/hostclass/unifi_controller +++ b/scripts/hostclass/unifi_controller @@ -33,6 +33,10 @@ service unifi status && service unifi stop [ -f "${unifi_home}/data/keystore" ] || install -Cv -o "$unifi_user" -g "$unifi_user" -m 0600 /dev/null "${unifi_home}/data/keystore" su -m "$unifi_user" -c "java -jar ${unifi_home}/lib/ace.jar import_key_cert ${unifi_https_key} ${unifi_https_cert} ${site_cacert_path}" +# Add root CA to java keystore. +keytool -list -cacerts -storepass changeit -alias "$site" \ + || keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias "$site" -file "$site_cacert_path" + # Disable analytics. install_directory -m 0640 -o "$unifi_user" -g "$unifi_user" \ "${unifi_home}/data/sites" \ diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server index 1889447..667014f 100644 --- a/scripts/hostclass/xmpp_server +++ b/scripts/hostclass/xmpp_server @@ -7,7 +7,7 @@ : ${prosody_admins:=''} : ${prosody_public_fqdn:="$fqdn"} : ${prosody_domains:="$email_domain"} -: ${prosody_ldap_passwd:='changeme'} +: ${prosody_ldap_password:='changeme'} : ${prosody_dbname:='prosody'} : ${prosody_dbhost:="$postgres_host"} : ${prosody_access_role:='xmpp-access'} @@ -24,10 +24,11 @@ prosody_dn="uid=${prosody_username},${robots_basedn}" prosody_local_user=prosody prosody_conf_dir=/usr/local/etc/prosody prosody_certs_dir="${prosody_conf_dir}/certs" -prosody_keytab="${keytab_dir}/prosody.keytab" +prosody_keytab="${keytab_dir}/prosody.client.keytab" prosody_roster_path="${prosody_conf_dir}/roster.ini" prosody_http_port=8080 -prosody_upload_dir=/var/db/prosody/http_upload +prosody_db_dir=/var/db/prosody +prosody_upload_dir="${prosody_db_dir}/http_upload" prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt" prosody_https_cert="${acme_cert_dir}/nginx.crt" @@ -42,10 +43,8 @@ pkg install -y \ nginx # Create ZFS dataset for HTTP upload files. -create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload" - -# Set ownership on http_upload directory. -install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir" +create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody" +install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir" # Create prosody user private group. ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF @@ -98,27 +97,28 @@ install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody # Configure automatic roster. install_file -m 0555 /usr/local/libexec/prosody-update-roster install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini" -su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}" +su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}" # Copy prosody crontab. install_template -m 0644 /etc/cron.d/prosody # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart +# Retrieve webserver certificate via ACME. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -C "$prosody_https_cacert" \ - -c "$prosody_https_cert" \ - -k "$prosody_https_key" \ -g "$nginx_user" \ -r 'sudo service nginx reload' \ + nginx \ "$prosody_public_fqdn" -# Now that we have the ACME certs, add the nginx vhost. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +# Now that we have the ACME certs, add the vhosts. +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" +service nginx restart # Enable and start daemons. sysrc -v prosody_enable=YES diff --git a/scripts/hostname/desktop2 b/scripts/hostname/desktop2 new file mode 100644 index 0000000..0e6e551 --- /dev/null +++ b/scripts/hostname/desktop2 @@ -0,0 +1,24 @@ +#!/bin/sh + +# This desktop has USB speakers and webcam USB microphone, so sndio can't +# use both at the same time. This creates a virtual device combining both +# of them into one virutal sound card. +# +# Because the virtual soundcard is installed to /dev/dsp, it will +# automatically be used as the default. + +playback_device=1 +recording_device=0 +samplerate=48000 +bits=16 +buffer_ms=25 +microphone_gain=50 + +pkg install -y virtual_oss +sysrc -v \ + virtual_oss_enable=YES \ + virtual_oss_dsp="-T /dev/sndstat -C 2 -c 2 -S -r ${samplerate} -b ${bits} -s ${buffer_ms}ms -O /dev/dsp${playback_device} -R /dev/dsp${recording_device} -d dsp -t vsdp.ctl" +service virtual_oss restart + +set_loader_conf "hint.pcm.${recording_device}.mic=${microphone_gain}" +set_loader_conf "hint.pcm.${playback_device}.pcm=100" diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs index 3a6d923..db0c1e0 100644 --- a/scripts/hostname/nfs1/10-homedirs +++ b/scripts/hostname/nfs1/10-homedirs @@ -1,8 +1,12 @@ #!/bin/sh -default_priv_quota=250G +default_priv_quota=50G default_pub_quota=10G +# Format: username:privquota:pubquota. For example: +# nfs_homedirs='joe:250G:10G jane:250G' +# nfs_groupdirs='sysadmins:250G doefamily:100G:10G' + # Create user home directories. for userquota in ${nfs_homedirs:-}; do user=$(echo "$userquota" | awk -F: '{print $1}') diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares index beb3b11..0dd6ddb 100644 --- a/scripts/hostname/nfs1/20-shares +++ b/scripts/hostname/nfs1/20-shares @@ -1,16 +1,22 @@ #!/bin/sh -# media/music -create_dataset -p "${nfs_dataset}/media/music" -zfs set \ - compression=off \ - com.sun:auto-snapshot:daily=true \ - com.sun:auto-snapshot:weekly=true \ - "${nfs_dataset}/media/music" -chgrp media-admin "${nfs_root}/media/music" -chmod 2770 "${nfs_root}/media/music" -set_facl "${nfs_root}/media/music" \ - group:media-admin:rwpDdaARWcs:fd:allow \ - group:media-admin:x:d:allow \ - group:media-access:raRcs:fd:allow \ - group:media-access:x:d:allow +media_access_group='media-access' +media_admin_group='media-admin' +media_shares='music shows movies audiobooks roms books scores isos' + +# media shares +for share in $media_shares; do + create_dataset -p "${nfs_dataset}/media/${share}" + zfs set \ + compression=off \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${nfs_dataset}/media/${share}" + chgrp "$media_admin_group" "${nfs_root}/media/${share}" + chmod 2770 "${nfs_root}/media/${share}" + set_facl "${nfs_root}/media/${share}" \ + "group:${media_admin_group}:rwpDdaARWcs:fd:allow" \ + "group:${media_admin_group}:x:d:allow" \ + "group:${media_access_group}:raRcs:fd:allow" \ + "group:${media_access_group}:x:d:allow" +done diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs index fe3a468..a7153d4 100644 --- a/scripts/hostname/nfs1/30-autofs +++ b/scripts/hostname/nfs1/30-autofs @@ -72,9 +72,11 @@ automountKey: /nfs/media automountInformation: auto_media ${nfs_mount_opts} EOF -# auto_media: music -ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF +# auto_media: music, movies, etc +for share in $media_shares; do + ldap_add "automountKey=${share},automountMapName=auto_media,${automount_basedn}" <<EOF objectClass: automount -automountKey: music -automountInformation: ${fqdn}:/media/music +automountKey: ${share} +automountInformation: ${fqdn}:/media/${share} EOF +done diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader index 3209927..a5c8908 100644 --- a/scripts/os/freebsd/10-bootloader +++ b/scripts/os/freebsd/10-bootloader @@ -11,7 +11,7 @@ install_file -m 0644 /etc/ttys kill -HUP 1 set_loader_conf \ - autoboot_delay=1 \ + autoboot_delay=3 \ beastie_disable=YES \ cc_htcp_load=YES \ kern.geom.label.disk_ident.enable=0 \ diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index 1585c6f..1e5e877 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -18,12 +18,16 @@ pkg install -y \ p5-Authen-SASL \ pam_mkhomedir +# Script to create /usr/local/home/${USER} on login. +install_file -m 0555 /usr/local/libexec/pam-create-local-homedir + # Configure PAM/NSS integration. +install_template -m 0644 \ + /etc/pam.d/login \ + /etc/pam.d/sshd install_file -m 0644 \ /etc/nsswitch.conf \ /etc/pam.d/system \ - /etc/pam.d/login \ - /etc/pam.d/sshd \ /etc/pam.d/sudo \ /etc/pam.d/su \ /etc/pam.d/other diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode index f9e213e..0d2a910 100644 --- a/scripts/os/freebsd/80-microcode +++ b/scripts/os/freebsd/80-microcode @@ -7,8 +7,12 @@ if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then return fi -pkg install -y cpu-microcode +if [ "${enable_microcode_updates:-}" = false ]; then + set_loader_conf cpu_microcode_load=NO +else + pkg install -y cpu-microcode -set_loader_conf \ - cpu_microcode_load=YES \ - cpu_microcode_name="/boot/firmware/${microcode_name}" + set_loader_conf \ + cpu_microcode_load=YES \ + cpu_microcode_name="/boot/firmware/${microcode_name}" +fi diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop index e92a8ac..0b5e8f5 100644 --- a/vars/hostclass/desktop +++ b/vars/hostclass/desktop @@ -19,9 +19,17 @@ clear_tmp_enable=false # Chromium seems to need this to enable VAAPI video decoding on intel. chrome_flags='--enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan' +gajim_packages=" +gajim +py${python_version}-omemo-dr +farstream +gsound" + # signal-desktop requires pulseaudio for audio/video chat. SAD! desktop_common_packages=" +android-tools bind-tools +ca_root_nss cantarell-fonts chromium droid-fonts-ttf @@ -62,19 +70,19 @@ wireguard-tools xorg" desktop_kde_packages=" +android-file-transfer-qt5 audacious-qt5 audacious-plugins-qt5 digikam -dino elisa -gajim +${gajim_packages} gtksourceview4 k3b kde5 kid3-kf5 kmix konversation -py${python_version}-omemo-dr +en-hunspell sddm" desktop_i3_packages=' diff --git a/vars/hostclass/xmpp_server b/vars/hostclass/xmpp_server index 204d1ba..8a3a20c 100644 --- a/vars/hostclass/xmpp_server +++ b/vars/hostclass/xmpp_server @@ -1,5 +1,9 @@ #!/bin/sh +prosody_c2s_tls_port=5223 +prosody_s2s_tls_port=5270 + +allowed_tcp_ports="ssh http https xmpp-client xmpp-server ${prosody_c2s_tls_port} ${prosody_s2s_tls_port}" acme=true -allowed_tcp_ports='ssh http https xmpp-client xmpp-server' nginx_public=true + diff --git a/vars/hostname/alcatraz1 b/vars/hostname/alcatraz1 new file mode 100644 index 0000000..9b7d2ef --- /dev/null +++ b/vars/hostname/alcatraz1 @@ -0,0 +1,4 @@ +#!/bin/sh + +# Causes UEFI exception on boot, "invalid opcode" ??? +enable_microcode_updates=false diff --git a/vars/hostname/xmpp1 b/vars/hostname/xmpp1 index e094b54..094b4b2 100644 --- a/vars/hostname/xmpp1 +++ b/vars/hostname/xmpp1 @@ -2,4 +2,3 @@ cnames=xmpp prosody_acme_host=www1 -prosody_public_fqdn=xmpp.example.com |