diff options
64 files changed, 256 insertions, 102 deletions
diff --git a/files/etc/cron.d/unbound.idm_server b/files/etc/cron.d/unbound.idm_server new file mode 100644 index 0000000..56d8809 --- /dev/null +++ b/files/etc/cron.d/unbound.idm_server @@ -0,0 +1,2 @@ +MAILTO=root +@daily ${unbound_user} /usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir} diff --git a/files/etc/exports.common b/files/etc/exports.nfs_server index 4ea7fd2..4ea7fd2 100644 --- a/files/etc/exports.common +++ b/files/etc/exports.nfs_server diff --git a/files/etc/login.conf.desktop b/files/etc/login.conf.desktop index 558c80a..919a887 100644 --- a/files/etc/login.conf.desktop +++ b/files/etc/login.conf.desktop @@ -2,7 +2,7 @@ default:\\ :passwd_format=sha512:\\ :copyright=/etc/COPYRIGHT:\\ :welcome=/var/run/motd:\\ - :setenv=BLOCKSIZE=K,XDG_DATA_DIRS=/usr/local/override\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\ + :setenv=BLOCKSIZE=K,XDG_DATA_DIRS=${xdg_override_dir}\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\ :mail=/var/mail/\$:\\ :path=/sbin /bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin ~/bin:\\ :nologin=/var/run/nologin:\\ diff --git a/files/etc/pam.d/cups.cups_server b/files/etc/pam.d/cups.cups_server index b61c074..03c2763 100644 --- a/files/etc/pam.d/cups.cups_server +++ b/files/etc/pam.d/cups.cups_server @@ -1,8 +1,6 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd index 2604c78..8f87b98 100644 --- a/files/etc/pam.d/kde.freebsd +++ b/files/etc/pam.d/kde.freebsd @@ -1,2 +1,5 @@ -auth required /usr/local/lib/security/pam_krb5.so try_first_pass -account required /usr/local/lib/security/pam_krb5.so +auth required /usr/local/lib/security/pam_krb5.so try_first_pass + +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd new file mode 100644 index 0000000..164fcb0 --- /dev/null +++ b/files/etc/pam.d/login.freebsd @@ -0,0 +1,16 @@ +auth sufficient pam_self.so no_warn +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass nullok + +account requisite pam_securetty.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +session required pam_lastlog.so no_fail +session required pam_xdg.so +session required /usr/local/lib/security/pam_krb5.so + +password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd index ef359ff..6a75823 100644 --- a/files/etc/pam.d/sddm.freebsd +++ b/files/etc/pam.d/sddm.freebsd @@ -2,15 +2,20 @@ # try multiple authentication sources (like krb5 but fall back to pam_unix) # if we want pam_kwallet5 to execute. # Hence, for sddm, we try krb5 only (no local accounts). -auth required /usr/local/lib/security/pam_krb5.so try_first_pass -auth optional pam_exec.so /usr/local/libexec/pam-create-local-homedir -auth optional pam_kwallet5.so +auth sufficient pam_self.so no_warn +auth required /usr/local/lib/security/pam_krb5.so try_first_pass +auth optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +auth optional pam_kwallet5.so -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account requisite pam_securetty.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so -session required pam_lastlog.so no_fail -session optional pam_kwallet5.so auto_start +session required pam_lastlog.so no_fail +session required pam_xdg.so no_fail +session required /usr/local/lib/security/pam_krb5.so +session optional pam_kwallet5.so auto_start -password required /usr/local/lib/security/pam_krb5.so try_first_pass +password required /usr/local/lib/security/pam_krb5.so try_first_pass diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd index 57b281b..559a980 100644 --- a/files/etc/pam.d/sshd.freebsd +++ b/files/etc/pam.d/sshd.freebsd @@ -1,17 +1,13 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account -account required pam_nologin.so -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so -# session -session required /usr/local/lib/security/pam_krb5.so -session required pam_permit.so +session required /usr/local/lib/security/pam_krb5.so +session required pam_permit.so -# password password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd index 425bf4e..6a6b0a4 100644 --- a/files/etc/pam.d/sudo.freebsd +++ b/files/etc/pam.d/sudo.freebsd @@ -1,15 +1,11 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account account required /usr/local/lib/security/pam_krb5.so account required pam_login_access.so account required pam_unix.so -# session account required pam_permit.so -# password password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/profile.d/kde.sh.common b/files/etc/profile.d/kde.sh.desktop index 010d5c1..010d5c1 100644 --- a/files/etc/profile.d/kde.sh.common +++ b/files/etc/profile.d/kde.sh.desktop diff --git a/files/etc/profile.d/kde.sh.laptop b/files/etc/profile.d/kde.sh.laptop new file mode 120000 index 0000000..a248985 --- /dev/null +++ b/files/etc/profile.d/kde.sh.laptop @@ -0,0 +1 @@ +kde.sh.desktop
\ No newline at end of file diff --git a/files/etc/profile.d/kde.sh.roadwarrior_laptop b/files/etc/profile.d/kde.sh.roadwarrior_laptop new file mode 120000 index 0000000..a248985 --- /dev/null +++ b/files/etc/profile.d/kde.sh.roadwarrior_laptop @@ -0,0 +1 @@ +kde.sh.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop index d0bb2ae..d0bb2ae 100644 --- a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop new file mode 120000 index 0000000..6c13c1d --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop @@ -0,0 +1 @@ +terminus.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop new file mode 120000 index 0000000..6c13c1d --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop @@ -0,0 +1 @@ +terminus.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop index 0e57885..93544cf 100644 --- a/files/usr/local/etc/chromium/policies/managed/policies.json.common +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop @@ -67,7 +67,7 @@ "extensions": { "cjpalhdlnbpafiamejdnhcphjbkeiagm": { "toOverwrite": { - "filterLists": [ + "selectedFilterLists": [ "user-filters", "ublock-filters", "ublock-badware", @@ -75,11 +75,14 @@ "ublock-abuse", "ublock-unbreak", "ublock-annoyances", + "ublock-cookies-easylist", + "fanboy-cookiemonster", "easylist", "easyprivacy", "urlhaus-1", "plowe-0", "fanboy-annoyance", + "fanboy-social", "fanboy-thirdparty_social", "adguard-spyware-url", "ublock-quick-fixes" @@ -87,7 +90,7 @@ }, "toAdd": { "trustedSiteDirectives": [ - "${domain}" + "$(join '","' "$domain" $ublock_whitelist)" ] } } diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.laptop b/files/usr/local/etc/chromium/policies/managed/policies.json.laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.laptop @@ -0,0 +1 @@ +policies.json.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop b/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop @@ -0,0 +1 @@ +policies.json.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/cups/client.conf.desktop b/files/usr/local/etc/cups/client.conf.desktop new file mode 100644 index 0000000..833b533 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.desktop @@ -0,0 +1,3 @@ +ServerName ${cups_host}.${domain}:631 +Encryption Required +ValidateCerts Yes diff --git a/files/usr/local/etc/cups/client.conf.laptop b/files/usr/local/etc/cups/client.conf.laptop new file mode 120000 index 0000000..9644ac0 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.laptop @@ -0,0 +1 @@ +client.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/cups/client.conf.roadwarrior_laptop b/files/usr/local/etc/cups/client.conf.roadwarrior_laptop new file mode 120000 index 0000000..9644ac0 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.roadwarrior_laptop @@ -0,0 +1 @@ +client.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/cups/cupsd.conf.cups_server b/files/usr/local/etc/cups/cupsd.conf.cups_server index 25e2107..e5d90c2 100644 --- a/files/usr/local/etc/cups/cupsd.conf.cups_server +++ b/files/usr/local/etc/cups/cupsd.conf.cups_server @@ -11,7 +11,6 @@ MaxLogSize 1m # Default error policy for printers ErrorPolicy retry-job -# Only listen for connections from the local machine. Listen 80 Listen 631 Listen /var/run/cups/cups.sock @@ -29,9 +28,6 @@ DefaultEncryption Required # Web interface setting... WebInterface Yes -# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) -IdleExitTimeout 60 - # Restrict access to the server... <Location /> Order allow,deny diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index bc8f89c..3e612a0 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -14,6 +14,8 @@ databases_luadbi_SET=PGSQL databases_postgresql${postgresql_version}-client_SET=PAM LDAP databases_postgresql${postgresql_version}-server_SET=PAM LDAP devel_apr1_SET=LDAP +devel_electron30_SET=PULSEAUDIO +devel_electron30_UNSET=SNDIO devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC devel_librelp_UNSET=GNUTLS @@ -40,9 +42,11 @@ mail_mutt_UNSET=HTML mail_postfix_SET=LDAP SASL SASLKRB5 mail_rspamd_SET=HYPERSCAN misc_kdeutils_UNSET=KFLOPPY KTEATIME +multimedia_audacious_plugins_SET=LAME multimedia_ffmpeg_SET=OPENSSL multimedia_ffmpeg_UNSET=GNUTLS multimedia_kdemultimedia_UNSET=KDENLIVE +multimedia_pipewire_UNSET=JACK multimedia_qt6-multimedia_SET=ALSA multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM multimedia_webcamd_UNSET=DVB INPUT RADIO diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 2740c85..866c358 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -3,6 +3,7 @@ archivers/php${php_version}-phar archivers/php${php_version}-zip archivers/unzip archivers/zip +audio/elisa audio/juk audio/kid3 audio/kmix @@ -19,6 +20,7 @@ databases/postgresql${postgresql_version}-server databases/redis devel/ccache devel/cgit +devel/electron30 devel/git@lite devel/gitolite devel/php${php_version}-gettext @@ -58,9 +60,13 @@ mail/postfix mail/rspamd mail/sieve-connect misc/php${php_version}-calendar -multimedia/audacious +multimedia/audacious-plugins@qt5 +multimedia/audacious@qt5 multimedia/libva-intel-media-driver +multimedia/libva-utils +multimedia/libvdpau-va-gl multimedia/makemkv +multimedia/vdpauinfo multimedia/v4l-utils multimedia/v4l_compat multimedia/webcamd @@ -96,9 +102,11 @@ security/openssh-portable security/pam_krb5@mit security/pam_mkhomedir security/php${php_version}-filter +security/py-omemo-dr security/sshpass security/sudo security/vaultwarden +sysutils/cpu-microcode sysutils/htop sysutils/k3b sysutils/lsof @@ -138,6 +146,7 @@ x11-fonts/terminus-font x11-fonts/terminus-ttf x11-fonts/ubuntu-font x11-fonts/webfonts +x11-toolkits/gtksourceview4 x11/kde5 x11/sddm x11/xev diff --git a/files/usr/local/etc/sddm.conf.common b/files/usr/local/etc/sddm.conf.desktop index 09c2000..09c2000 100644 --- a/files/usr/local/etc/sddm.conf.common +++ b/files/usr/local/etc/sddm.conf.desktop diff --git a/files/usr/local/etc/sddm.conf.laptop b/files/usr/local/etc/sddm.conf.laptop new file mode 120000 index 0000000..a2aa201 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.laptop @@ -0,0 +1 @@ +sddm.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/sddm.conf.roadwarrior_laptop b/files/usr/local/etc/sddm.conf.roadwarrior_laptop new file mode 120000 index 0000000..a2aa201 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.roadwarrior_laptop @@ -0,0 +1 @@ +sddm.conf.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop new file mode 100644 index 0000000..43d85fb --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop @@ -0,0 +1,6 @@ +[Desktop Entry] +Type=Application +Name=Add site root CA to user NSS database. +Exec=/usr/local/libexec/nss-trust-root-ca +StartupNotify=false +NoDisplay=true diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop new file mode 120000 index 0000000..8a3cf1a --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop @@ -0,0 +1 @@ +nss-trust-root-ca.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop new file mode 120000 index 0000000..8a3cf1a --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +nss-trust-root-ca.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common deleted file mode 100644 index 1808561..0000000 --- a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -pkill signal-desktop chrome baloo_file -pkill -f /usr/local/libexec/geoclue-2.0/demos/agent diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop new file mode 100644 index 0000000..3d1e79e --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop @@ -0,0 +1,7 @@ +#!/bin/sh + +# Various processes seem to hang around after logging out of KDE sessions. +# Clean them up here. + +pkill signal-desktop chrome baloo_file dirmngr +pkill -f /usr/local/libexec/geoclue-2.0/demos/agent diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop new file mode 120000 index 0000000..e2cb280 --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop @@ -0,0 +1 @@ +cleanup.sh.desktop
\ No newline at end of file diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop new file mode 120000 index 0000000..e2cb280 --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop @@ -0,0 +1 @@ +cleanup.sh.desktop
\ No newline at end of file diff --git a/files/usr/local/lib/firefox/distribution/policies.json.common b/files/usr/local/lib/firefox/distribution/policies.json.desktop index 425a6d6..de93355 100644 --- a/files/usr/local/lib/firefox/distribution/policies.json.common +++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop @@ -22,7 +22,7 @@ "Extensions": { "uBlock0@raymondhill.net": { "toOverwrite": { - "filterLists": [ + "selectedFilterLists": [ "user-filters", "ublock-filters", "ublock-badware", @@ -30,11 +30,14 @@ "ublock-abuse", "ublock-unbreak", "ublock-annoyances", + "ublock-cookies-easylist", + "fanboy-cookiemonster", "easylist", "easyprivacy", "urlhaus-1", "plowe-0", "fanboy-annoyance", + "fanboy-social", "fanboy-thirdparty_social", "adguard-spyware-url", "ublock-quick-fixes" @@ -42,7 +45,7 @@ }, "toAdd": { "trustedSiteDirectives": [ - "${domain}" + "$(join '","' "$domain" $ublock_whitelist)" ] } } diff --git a/files/usr/local/lib/firefox/distribution/policies.json.laptop b/files/usr/local/lib/firefox/distribution/policies.json.laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.laptop @@ -0,0 +1 @@ +policies.json.desktop
\ No newline at end of file diff --git a/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop b/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop @@ -0,0 +1 @@ +policies.json.desktop
\ No newline at end of file diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.common b/files/usr/local/lib/libreoffice/program/sofficerc.desktop index 77574a4..77574a4 100644 --- a/files/usr/local/lib/libreoffice/program/sofficerc.common +++ b/files/usr/local/lib/libreoffice/program/sofficerc.desktop diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.laptop b/files/usr/local/lib/libreoffice/program/sofficerc.laptop new file mode 120000 index 0000000..0d2b44a --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.laptop @@ -0,0 +1 @@ +sofficerc.desktop
\ No newline at end of file diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop b/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop new file mode 120000 index 0000000..0d2b44a --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop @@ -0,0 +1 @@ +sofficerc.desktop
\ No newline at end of file diff --git a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server index c33b909..381032d 100644 --- a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server +++ b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server @@ -3,8 +3,7 @@ set -eu -o pipefail prog=$(basename "$(readlink -f "$0")") -usage="${prog} BLOCKLIST_DIR - Blocklist URLs are read from stdin." +usage="${prog} URL_FILE WHITELIST_FILE BLOCKLIST_DIR" die() { printf '%s: %s\n' "$prog" "$*" 1>&2 @@ -16,17 +15,41 @@ usage(){ exit 2 } -[ $# -eq 1 ] || usage -case $1 in +case ${1:-} in -h|--help) usage ;; esac -[ -d "$1" ] || die "not a directory: ${1}" +[ $# -eq 3 ] || usage -cd "$1" +url_file=$1 +whitelist_file=$2 +blocklist_dir=$3 +[ -d "$blocklist_dir" ] || die "not a directory: ${blocklist_dir}" + +cd "$blocklist_dir" + +# Delete any existing zone files. find . -maxdepth 1 -type f -exec rm {} + -while read -r name url; do - [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" -done +if grep -q '[^[:space:]]' "$whitelist_file"; then + # If the whitelist file is non empty, compute a regex. + while read -r pattern; do + [ -n "$pattern" ] || continue + whitelist_regex="${whitelist_regex:+"${whitelist_regex}|"}${pattern}" + done < "$whitelist_file" + + # For each blocklist url, download the blocklist and filter out the whitelist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL "$url" | grep -Ev "^(.*\\.)?(${whitelist_regex})[[:space:]]" > "${name}.zone" + done < "$url_file" +else + # If no whitelist configured, just download each blocklist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" + done < "$url_file" +fi + +# Try to reload unbound. +unbound_pidfile=$(/usr/local/sbin/unbound-checkconf -o pidfile /usr/local/etc/unbound/unbound.conf) +kill -HUP "$(cat "$unbound_pidfile")" ||: diff --git a/files/usr/local/libexec/nss-trust-root-ca.common b/files/usr/local/libexec/nss-trust-root-ca.common new file mode 100644 index 0000000..6a38a86 --- /dev/null +++ b/files/usr/local/libexec/nss-trust-root-ca.common @@ -0,0 +1,16 @@ +#!/bin/sh + +# Chromium no longer trusts the system certificate store. Instead, it uses the +# user's local NSS database, located at ~/.pki. +# +# This script adds our local root CA to the NSS DB, so that Chrome will trust it. + +cert_name="$(hostname -d) Root CA" +cert_path=/usr/local/etc/ssl/certs/ca.crt +nss_db_path="${HOME}/.pki/nssdb" + +mkdir -p "$nss_db_path" + +if ! certutil -d "sql:${nss_db_path}" -L -n "$cert_name" > /dev/null 2>&1; then + certutil -d "sql:${nss_db_path}" -A -t 'C,,' -n "$cert_name" -i "$cert_path" +fi diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common index a956d65..2d30d06 100644 --- a/files/usr/local/libexec/pam-create-local-homedir.common +++ b/files/usr/local/libexec/pam-create-local-homedir.common @@ -1,10 +1,3 @@ #!/bin/sh -set -e - -uid=$(id -u "$PAM_USER") - -if [ "$uid" -ge 1000 ]; then - install -m 0755 -d /usr/local/home - install -o "$uid" -g "$uid" -m 0700 -d "/usr/local/home/${PAM_USER}" -fi +install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/usr/local/home/${PAM_USER}" diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.desktop b/files/usr/local/share-override/applications/chromium-browser.desktop.desktop new file mode 100644 index 0000000..cb5a5bf --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Type=Application +Version=1.0 +Encoding=UTF-8 +Name=Chromium +Comment=Google web browser based on WebKit +Icon=chrome +Exec=chrome ${chrome_flags} %U +Categories=Application;Network;WebBrowser; +MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp; +StartupNotify=true diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.laptop b/files/usr/local/share-override/applications/chromium-browser.desktop.laptop new file mode 120000 index 0000000..351c67b --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.laptop @@ -0,0 +1 @@ +chromium-browser.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop b/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop new file mode 120000 index 0000000..351c67b --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +chromium-browser.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/override/applications/signal-desktop.desktop.common b/files/usr/local/share-override/applications/signal-desktop.desktop.desktop index d0c9160..d0c9160 100644 --- a/files/usr/local/override/applications/signal-desktop.desktop.common +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.desktop diff --git a/files/usr/local/share-override/applications/signal-desktop.desktop.laptop b/files/usr/local/share-override/applications/signal-desktop.desktop.laptop new file mode 120000 index 0000000..6a702d4 --- /dev/null +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.laptop @@ -0,0 +1 @@ +signal-desktop.desktop.desktop
\ No newline at end of file diff --git a/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop b/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop new file mode 120000 index 0000000..6a702d4 --- /dev/null +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +signal-desktop.desktop.desktop
\ No newline at end of file @@ -3,16 +3,17 @@ set_sysctl(){ # Set sysctl value(s) and persist them to /etc/sysctl.conf. # $1..$N = sysctl values (as "name=value" strings) + # The '|' character is unsupported within the sysctl value. while [ $# -gt 0 ]; do sysctl "$1" sed -i.bak "/^${1%%=*}=/{ h -s/=.*/=${1#*=}/ +s|=.*|=${1#*=}| } \${ x /^\$/{ -s//${1}/ +s||${1}| H } x @@ -26,18 +27,19 @@ set_loader_conf(){ # Set the FreeBSD bootloader options in /boot/loader.conf. # The host will be rebooted if the file is changed. # $1..$N = bootloader options (as "name=value" strings) + # The '|' character is unsupported within the option value. [ "$BOXCONF_OS" = freebsd ] || bug 'set_loader_conf can only be used on FreeBSD' while [ $# -gt 0 ]; do grep -qxF "${1%%=*}=\"${1#*=}\"" /boot/loader.conf || BOXCONF_NEED_REBOOT=true sed -i.bak "/^${1%%=*}=/{ h -s/=.*/=\"${1#*=}\"/ +s|=.*|=\"${1#*=}\"| } \${ x /^\$/{ -s//${1%%=*}=\"${1#*=}\"/ +s||${1%%=*}=\"${1#*=}\"| H } x diff --git a/scripts/hostclass/cups_server b/scripts/hostclass/cups_server index 6667829..d9b6e66 100644 --- a/scripts/hostclass/cups_server +++ b/scripts/hostclass/cups_server @@ -9,6 +9,9 @@ cups_tls_dir=${cups_conf_dir}/ssl cups_tls_cert="${cups_tls_dir}/${fqdn}.crt" cups_tls_key="${cups_tls_dir}/${fqdn}.key" +# Create dataset for persistent CUPS configuration. +create_dataset -o "mountpoint=${cups_conf_dir}" "${state_dataset}/cups" + # Install required packages. pkg install -y cups cups-filters diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index f9e7e94..148b596 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -4,10 +4,13 @@ : ${desktop_access_gid:='40000'} : ${sddm_min_uid:='10000'} : ${sddm_max_uid:='19999'} +: ${cups_host:='cups'} +: ${ublock_whitelist:=''} +: ${chrome_flags:=''} sddm_user=sddm - -# TODO: kill lingering processes after logout (chrome, baloo-search, etc). +cups_conf_dir=/usr/local/etc/cups +xdg_override_dir=/usr/local/share-override if [ "${enable_idm:-}" = false ]; then desktop_access_role=operator @@ -33,7 +36,9 @@ pkg install -y $desktop_common_packages install_file -m 0555 \ /usr/local/libexec/pam-create-local-homedir \ /etc/profile.d/local-homedir.sh -install_directory -m 0755 /usr/local/home + +# Create ZFS dataset for local homedirs. +create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" # Enable sndio. sysrc -v sndiod_enable=YES @@ -54,6 +59,10 @@ set_loader_conf cuse_load=YES sysrc -v webcamd_enable=YES service webcamd status || service webcamd start +# Create xdg autostart entry to add our Root CA to Chrome's certificate store. +install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop +install_file -m 0555 /usr/local/libexec/nss-trust-root-ca + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -121,12 +130,13 @@ install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf # Create xdg override directory. install_directory -m 0755 \ - /usr/local/override \ - /usr/local/override/applications + "${xdg_override_dir}" \ + "${xdg_override_dir}/applications" # Create xdg application overrides. -install_file -m 0644 \ - /usr/local/override/applications/signal-desktop.desktop +install_template -m 0644 \ + "${xdg_override_dir}/applications/signal-desktop.desktop" \ + "${xdg_override_dir}/applications/chromium-browser.desktop" # Create polkit rules for shutdown/reboot/suspend install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules @@ -135,10 +145,14 @@ install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules sysrc -v dbus_enable=YES service dbus status || service dbus start +# Configure CUPS. +pkg install -y cups +install_template -m 0644 "${cups_conf_dir}/client.conf" + # Configure graphics drivers. case $graphics_type in intel) - pkg install -y drm-kmod + pkg install -y drm-kmod libva-intel-media-driver sysrc -v kld_list+=i915kms load_kernel_module i915kms set_loader_conf \ diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound index 01c1c70..d38194f 100644 --- a/scripts/hostclass/idm_server/40-unbound +++ b/scripts/hostclass/idm_server/40-unbound @@ -4,8 +4,10 @@ unbound_user=unbound unbound_conf_dir=/usr/local/etc/unbound unbound_blocklist_dir="${unbound_conf_dir}/blocklists" unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls" +unbound_whitelist_file="${unbound_conf_dir}/whitelist" : ${unbound_blocklist_urls:=''} +: ${unbound_whitelist:=''} : ${unbound_cache_max_negative_ttl:='60'} : ${unbound_rrset_cache_size:='104857600'} # 100 MB : ${unbound_msg_cache_size:='52428800'} # 50 MB @@ -24,9 +26,10 @@ install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir" install_template -m 0644 "${unbound_conf_dir}/unbound.conf" # Download blocklists. +echo "$unbound_whitelist" | tee "$unbound_whitelist_file" echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file" install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists -su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}" +su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir}" # Enable and start unbound. sysrc -v unbound_enable=YES @@ -36,5 +39,4 @@ service unbound restart install_template -m 0644 /etc/resolv.conf # Update blocklists with a cron job. -echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \ - | tee /etc/cron.d/idm-update-unbound-blocklists +install_template -m 0644 /etc/cron.d/unbound diff --git a/scripts/hostclass/laptop/10-desktop b/scripts/hostclass/laptop/10-desktop new file mode 120000 index 0000000..2c7c348 --- /dev/null +++ b/scripts/hostclass/laptop/10-desktop @@ -0,0 +1 @@ +../desktop
\ No newline at end of file diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop/20-laptop index dba2c5f..dba2c5f 100644 --- a/scripts/hostclass/laptop +++ b/scripts/hostclass/laptop/20-laptop diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop index 874f665..981e450 120000 --- a/scripts/hostclass/roadwarrior_laptop/20-laptop +++ b/scripts/hostclass/roadwarrior_laptop/20-laptop @@ -1 +1 @@ -../laptop
\ No newline at end of file +../laptop/20-laptop
\ No newline at end of file diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader index 438acc0..3209927 100644 --- a/scripts/os/freebsd/10-bootloader +++ b/scripts/os/freebsd/10-bootloader @@ -24,9 +24,7 @@ set_loader_conf \ pflog_load=YES \ security.bsd.allow_destructive_dtrace=0 -if [ "${serial_console:-}" = true ]; then - # Don't enable the serial console for all hosts indiscriminately. - # Somehow, having the serial console enabled breaks ConsoleKit. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = none ] && [ "$enable_serial_console" = true ]; then set_loader_conf \ boot_multicons=YES \ boot_serial=YES \ diff --git a/scripts/os/freebsd/10-cpu b/scripts/os/freebsd/10-cpu index ea2afcf..67aeb68 100644 --- a/scripts/os/freebsd/10-cpu +++ b/scripts/os/freebsd/10-cpu @@ -28,3 +28,8 @@ if sysctl -n dev.hwpstate_intel.0.epp >/dev/null 2>&1; then set_sysctl "dev.hwpstate_intel.${n}.epp=${intel_epp}" done fi + +# Enable CPU-related kernel modules. +set_loader_conf \ + cpuctl_load=YES \ + coretemp_load=YES diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index 0a9e882..ab7c2fd 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -20,6 +20,7 @@ pkg install -y \ # Configure PAM/NSS integration. install_file -m 0644 \ /etc/nsswitch.conf \ + /etc/pam.d/login \ /etc/pam.d/sshd \ /etc/pam.d/sudo diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode new file mode 100644 index 0000000..f9e213e --- /dev/null +++ b/scripts/os/freebsd/80-microcode @@ -0,0 +1,14 @@ +#!/bin/sh + +: ${microcode_name:='intel-ucode.bin'} + +# Only run this file on baremetal hosts. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then + return +fi + +pkg install -y cpu-microcode + +set_loader_conf \ + cpu_microcode_load=YES \ + cpu_microcode_name="/boot/firmware/${microcode_name}" diff --git a/site/scripts/hostname/rlaptop1 b/site/scripts/hostname/rlaptop1 deleted file mode 100644 index f346965..0000000 --- a/site/scripts/hostname/rlaptop1 +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -add_user \ - -c "Cullum Smith" \ - -G wheel,operator,video \ - -s /bin/sh \ - -m \ - -p changeme \ - cullum diff --git a/vars/common b/vars/common index 18df739..8e9fab0 100644 --- a/vars/common +++ b/vars/common @@ -38,6 +38,7 @@ nproc=$(nproc) allowed_tcp_ports=ssh bootstrap_resolvers='1.1.1.1' desktop_type=kde +enable_serial_console=true graphics_type=intel boxconf_username='s-boxconf' host_keytab_groupname=hostkeytab @@ -55,7 +56,6 @@ rspamd_port=11334 ssh_authzkeys_uid=789 ssh_authzkeys_username=sshkeys tcp_buffer_size=2097152 # suitable for 1 GigE -serial_console=false nginx_nofile=2048 nginx_worker_connections=768 diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop index 8938965..0b11406 100644 --- a/vars/hostclass/desktop +++ b/vars/hostclass/desktop @@ -1,5 +1,11 @@ #!/bin/sh +# Let users run gdb/truss. +allow_proc_debug=1 + +# Serial console breaks ConsoleKit2. +enable_serial_console=false + # UID/GID hiding breaks consolekit and KDE screen locker. see_other_uids=1 @@ -7,22 +13,29 @@ see_other_uids=1 # cleared out, resulting in the socket being blown away. clear_tmp_enable=false +# Chromium seems to need this to enable VAAPI video decoding on intel. +chrome_flags='--enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan' + +# signal-desktop requires pulseaudio for audio/video chat. SAD! desktop_common_packages=" bind-tools cantarell-fonts chromium droid-fonts-ttf eclipse +ffmpeg firefox git gnupg inconsolata-ttf krb5 libreoffice -libva-intel-media-driver +libva-utils +libvdpau-va-gl noto-basic noto-emoji password-store +pulseaudio py${python_version}-pip signal-desktop sndio @@ -32,6 +45,7 @@ terminus-ttf tmux tree ubuntu-font +vdpauinfo v4l-utils v4l_compat webcamd @@ -39,16 +53,20 @@ webfonts wireguard-tools xorg" -desktop_kde_packages=' +desktop_kde_packages=" +audacious +audacious-plugins dino gajim +gtksourceview4 juk k3b kde5 kid3-qt6 kmix konversation -sddm' +py${python_version}-omemo-dr +sddm" desktop_i3_packages=' compton diff --git a/vars/hostname/alcatraz1 b/vars/hostname/alcatraz1 deleted file mode 100644 index 9b2021c..0000000 --- a/vars/hostname/alcatraz1 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -serial_console=true |