diff options
| -rw-r--r-- | files/usr/local/etc/mail/mailer.conf.smtp_server | 7 | ||||
| -rw-r--r-- | files/usr/local/etc/nginx/acme.conf.common | 4 | ||||
| -rw-r--r-- | files/usr/local/etc/nginx/nginx.conf-acme | 55 | ||||
| -rw-r--r-- | files/usr/local/etc/nginx/nginx.conf.common | 26 | ||||
| l--------- | files/usr/local/etc/nginx/nginx.conf.smtp_server | 1 | ||||
| -rw-r--r-- | files/usr/local/etc/nginx/vhosts.conf.smtp_server | 13 | ||||
| -rw-r--r-- | files/usr/local/etc/postfix/main.cf.smtp_server | 7 | ||||
| -rw-r--r-- | files/usr/local/etc/poudriere.d/make.conf.pkg_repository | 6 | ||||
| -rw-r--r-- | files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository | 73 | ||||
| -rw-r--r-- | files/usr/local/etc/poudriere.d/pkglist.pkg_repository | 16 | ||||
| -rw-r--r-- | files/usr/local/lib/sasl2/smtpd.conf.smtp_server | 3 | ||||
| -rw-r--r-- | files/usr/local/libexec/poudriere-cron.pkg_repository | 7 | ||||
| -rw-r--r-- | scripts/hostclass/pkg_repository | 22 | ||||
| -rw-r--r-- | scripts/hostclass/smtp_server/10-rspamd | 10 | ||||
| -rw-r--r-- | scripts/hostclass/smtp_server/20-postfix | 4 | ||||
| -rw-r--r-- | vars/hostclass/smtp_server | 2 | ||||
| -rw-r--r-- | vars/os/freebsd | 6 |
17 files changed, 182 insertions, 80 deletions
diff --git a/files/usr/local/etc/mail/mailer.conf.smtp_server b/files/usr/local/etc/mail/mailer.conf.smtp_server new file mode 100644 index 0000000..d15a587 --- /dev/null +++ b/files/usr/local/etc/mail/mailer.conf.smtp_server @@ -0,0 +1,7 @@ +# +# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail +# +sendmail /usr/local/sbin/sendmail +send-mail /usr/local/sbin/sendmail +mailq /usr/local/sbin/sendmail +newaliases /usr/local/sbin/sendmail diff --git a/files/usr/local/etc/nginx/acme.conf.common b/files/usr/local/etc/nginx/acme.conf.common deleted file mode 100644 index 583ca98..0000000 --- a/files/usr/local/etc/nginx/acme.conf.common +++ /dev/null @@ -1,4 +0,0 @@ -location /.well-known/acme-challenge/ { - root ${acme_webroot}; - default_type text/plain; -} diff --git a/files/usr/local/etc/nginx/nginx.conf-acme b/files/usr/local/etc/nginx/nginx.conf-acme deleted file mode 100644 index d77c0de..0000000 --- a/files/usr/local/etc/nginx/nginx.conf-acme +++ /dev/null @@ -1,55 +0,0 @@ -worker_processes ${nginx_worker_processes}; -worker_rlimit_nofile ${nginx_nofile}; - -events { - worker_connections ${nginx_worker_connections}; -} - -http { - include mime.types; - default_type application/octet-stream; - index index.html; - - aio threads; - aio_write on; - sendfile on; - directio 4m; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens off; - client_max_body_size 5m; - charset utf-8; - gzip on; - gzip_http_version 1.0; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml; - - proxy_buffers 64 32k; - proxy_busy_buffers_size 64k; - fastcgi_buffers 64 32k; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - map \$http_upgrade \$connection_upgrade { - default upgrade; - '' keep-alive; - } - - server { - listen 0.0.0.0:80 default_server; - listen [::]:80 default_server; - - include acme.conf; - - location / { - return 301 https://\$host\$request_uri; - } - } - - include vhost*.conf; -} diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index b0a9a06..9ab993c 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -1,5 +1,6 @@ worker_processes ${nginx_worker_processes}; worker_rlimit_nofile ${nginx_nofile}; +$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";') events { worker_connections ${nginx_worker_connections}; @@ -40,5 +41,28 @@ http { '' keep-alive; } - include vhosts.conf; +$([ "${nginx_gssapi:-}" = true ] && cat <<EOF + auth_gss_realm ${realm}; + auth_gss_force_realm on; +EOF +) + +$([ "${nginx_acme:-}" = true ] && cat <<EOF + server { + listen 0.0.0.0:80 default_server; + listen [::]:80 default_server; + + location /.well-known/acme-challenge/ { + root ${acme_webroot}; + default_type text/plain; + } + + location / { + return 301 https://\$host\$request_uri; + } + } +EOF +) + + include vhosts.conf; } diff --git a/files/usr/local/etc/nginx/nginx.conf.smtp_server b/files/usr/local/etc/nginx/nginx.conf.smtp_server deleted file mode 120000 index 53de10f..0000000 --- a/files/usr/local/etc/nginx/nginx.conf.smtp_server +++ /dev/null @@ -1 +0,0 @@ -nginx.conf-acme
\ No newline at end of file diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server index 71d6db8..4b84ede 100644 --- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server +++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server @@ -9,14 +9,19 @@ server { add_header Strict-Transport-Security "max-age=63072000" always; +$(if [ -n "$rspamd_admin_users" ]; then +echo ' auth_gss on;' +echo " auth_gss_keytab ${nginx_keytab};" +printf ' auth_gss_authorized_principal %s;\n' $rspamd_admin_users +fi) + location / { proxy_http_version 1.1; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; - +$(if [ -z "$rspamd_admin_users" ]; then +echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' +fi) proxy_pass http://127.0.0.1:${rspamd_port}/; } } diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server index c1e40a4..802568f 100644 --- a/files/usr/local/etc/postfix/main.cf.smtp_server +++ b/files/usr/local/etc/postfix/main.cf.smtp_server @@ -56,24 +56,23 @@ smtpd_tls_chain_files = ${postfix_local_tls_key}, ${postfix_local_tls_cert} EOF -) +fi) smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_mandatory_ciphers = medium -smtpd_tls_dh1024_param_file = ${postfix_dhparams} smtpd_tls_loglevel = 1 smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_helo_required = yes -smtp_tls_CApath = ${system_ca_dir} +smtp_tls_CApath = ${system_cacert_path} smtp_tls_security_level = may smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache smtp_tls_loglevel = 1 -lmtp_tls_CApath = ${system_ca_dir} +lmtp_tls_CApath = ${system_cacert_path} lmtp_tls_security_level = encrypt lmtp_tls_wrappermode = yes lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index b0ae948..6dbbafc 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -10,8 +10,9 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT # Per-port options databases_akonadi_SET=MYSQL databases_luadbi_SET=PGSQL -databases_postgresql15-client_SET=PAM -databases_postgresql15-server_SET=PAM +databases_postgresql${postgresql_version}-client_SET=PAM +databases_postgresql${postgresql_version}-server_SET=PAM +devel_apr1_SET=LDAP devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC devel_librelp_UNSET=GNUTLS @@ -73,6 +74,7 @@ sysutils_htop_SET=LSOF sysutils_k3b_UNSET=EMOVIX VCDIMAGER sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL sysutils_rsyslog8_UNSET=GCRYPT +www_apache${apache_version}_SET=AUTHNZ_LDAP LDAP SUEXEC SUEXEC_SYSLOG www_chromium_SET=WIDEVINE www_firefox_UNSET=PROFILE JACK www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP diff --git a/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository new file mode 100644 index 0000000..0cf4e61 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository @@ -0,0 +1,73 @@ +--- databases/postgresql16-server/Makefile 2024-10-03 10:26:11.600924000 -0400 ++++ databases/postgresql16-server/Makefile 2024-10-03 10:46:16.602335000 -0400 +@@ -119,12 +119,15 @@ + + .if !defined(SLAVE_ONLY) + OPTIONS_DEFINE+= NLS PAM GSSAPI OPTIMIZED_CFLAGS DEBUG DOCS +-KRB5_DESC= Build with kerberos provider support ++OPTIONS_SINGLE+= GSSAPI ++OPTIONS_SINGLE_GSSAPI= GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT ++OPTIONS_DEFAULT+= GSSAPI_NONE ++GSSAPI_NONE_DESC= Build without GSSAPI support ++GSSAPI_BASE_DESC= Use GSSAPI from base ++GSSAPI_HEIMDAL_DESC= Use Heimdal GSSAPI from security/heimdal ++GSSAPI_MIT_DESC= Use MIT GSSAPI from security/krb5 + NLS_DESC= Use internationalized messages + PAM_DESC= Build with PAM Support +-MIT_KRB5_DESC= Build with MIT kerberos support +-HEIMDAL_KRB5_DESC= Builds with Heimdal kerberos +-GSSAPI_DESC= Build with GSSAPI support + OPTIMIZED_CFLAGS_DESC= Builds with compiler optimizations (-O3) + + OPTIONS_DEFINE+= SSL +@@ -132,7 +135,12 @@ + + OPTIONS_DEFAULT+= SSL + +-GSSAPI_CONFIGURE_WITH= gssapi ++GSSAPI_BASE_USES= gssapi:base ++GSSAPI_MIT_USES= gssapi:mit ++GSSAPI_HEIMDAL_USES= gssapi:heimdal,flags ++GSSAPI_BASE_CONFIGURE_ON= --with-gssapi ++GSSAPI_MIT_CONFIGURE_ON= --with-gssapi ++GSSAPI_HEIMDAL_CONFIGURE_ON= --with-gssapi + .endif # !SLAVE_ONLY + + SSL_USES= ssl +@@ -175,36 +183,7 @@ + .endif + + .if !defined(SLAVE_ONLY) +- + PATCH_DIST_STRIP=-p1 +- +-.if ${PORT_OPTIONS:MGSSAPI} +-.if empty(PORT_OPTIONS:MMIT_KRB5) && empty(PORT_OPTIONS:MHEIMDAL_KRB5) +-# Kerberos libraries will pull the proper GSSAPI library +-# via linker dependencies, but otherwise we must specify +-# it explicitely: ld --as-needed is used for compilation, +-# so configure's -lgssapi_krb5 won't go. +-LDFLAGS+= -lgssapi +-LDFLAGS_SL+= -lgssapi +-.endif +-.endif +- +-. if ${PORT_OPTIONS:MMIT_KRB5} +-. if defined(IGNORE_WITH_SRC_KRB5) && (exists(/usr/lib/libkrb5.so) || exists(/usr/bin/krb5-config)) +-IGNORE= requires that you remove heimdal\'s /usr/bin/krb5-config and /usr/lib/libkrb5.so*, and set NO_KERBEROS=true in /etc/src.conf to build successfully with MIT-KRB +-. else +-CONFIGURE_ARGS+=--with-krb5 +-# Allow defining a home built MIT Kerberos by setting KRB5_HOME +-. if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) && exists(${KRB5_HOME}/bin/krb5-config) +-LIB_DEPENDS+= libkrb5.so.3:security/krb5 +-. endif +-. endif +-. endif +- +-. if ${PORT_OPTIONS:MHEIMDAL_KRB5} +-CONFIGURE_ARGS+=--with-krb5 +-. endif +- + .endif # !SLAVE_ONLY + + # For testing files in FILESDIR diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 4a54ec5..5e95f8c 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -1,13 +1,21 @@ +converters/php${php_version}-iconv +databases/php${php_version}-pdo_pgsql +databases/php${php_version}-pgsql +databases/postgresql${postgresql_version}-client +databases/postgresql${postgresql_version}-server databases/redis devel/ccache devel/git@lite +devel/php${php_version}-gettext dns/bind-tools dns/nsd dns/powerdns dns/unbound editors/vim@console editors/vim@tiny +ftp/php${php_version}-curl lang/python +lang/php${php_version} mail/dovecot mail/dovecot-pigeonhole mail/isync @@ -15,10 +23,12 @@ mail/mutt mail/postfix mail/rspamd mail/sieve-connect +misc/php${php_version}-calendar net/nss-pam-ldapd-sasl net/openldap26-client net/openldap26-server net/p5-perl-ldap +net/php${php_version}-ldap net/py-python-ldap net/rsync ports-mgmt/poudriere @@ -39,4 +49,10 @@ sysutils/pwgen sysutils/stow sysutils/tmux sysutils/tree +textproc/php${php_version}-xml +www/apache${apache_version} +www/mod_auth_gssapi +www/mod_php${php_version} www/nginx +www/php${php_version}-opcache +www/php${php_version}-session diff --git a/files/usr/local/lib/sasl2/smtpd.conf.smtp_server b/files/usr/local/lib/sasl2/smtpd.conf.smtp_server new file mode 100644 index 0000000..b07b16d --- /dev/null +++ b/files/usr/local/lib/sasl2/smtpd.conf.smtp_server @@ -0,0 +1,3 @@ +mech_list: gssapi plain login +pwcheck_method: saslauthd +saslauthd_path: ${saslauthd_runtime_dir}/mux diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository index 0d713a9..b79535b 100644 --- a/files/usr/local/libexec/poudriere-cron.pkg_repository +++ b/files/usr/local/libexec/poudriere-cron.pkg_repository @@ -5,8 +5,15 @@ set -eu -o pipefail ports_tree=latest # update ports tree +git -C /usr/local/poudriere/ports/latest restore :/ +git -C /usr/local/poudriere/ports/latest clean -f poudriere ports -u -p "$ports_tree" > /dev/null +for patch in /usr/local/etc/poudriere.d/patches/*.patch; do + [ -f "$patch" ] || continue + patch -s -d /usr/local/poudriere/ports/latest -u < "$patch" +done + for jail in "$@"; do poudriere jail -u -j "$jail" > /dev/null poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index a356b3e..6070794 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -11,11 +11,17 @@ poudriere_data_dir=/usr/local/poudriere poudriere_conf_dir=/usr/local/etc/poudriere.d +poudriere_patch_dir="${poudriere_conf_dir}/patches" # Create poudriere datasets. create_dataset -o "mountpoint=${poudriere_data_dir}" "${state_dataset}/poudriere" create_dataset -o "mountpoint=${poudriere_conf_dir}" "${state_dataset}/poudriere-config" +# Since we're doing a ton of compilation, disable sync on the poudriere dataset. +# Possibly snakeoil, but my hope is that most file I/O will end up in the ARC cache +# and not thrash the disks. +zfs set sync=disabled "${poudriere_dataset}/poudriere" + # These packages are needed to bootstrap poudriere. On the first run, they'll # be installed from the public FreeBSD repos. pkg install -y \ @@ -45,12 +51,20 @@ service nginx restart # Create and update the `latest` ports tree. [ -d "${poudriere_data_dir}/ports/latest" ] || poudriere ports -c -v -p latest +git -C "${poudriere_data_dir}/ports/latest" restore :/ +git -C "${poudriere_data_dir}/ports/latest" clean -f poudriere ports -v -u -p latest -# Since we're doing a ton of compilation, disable sync on the poudriere dataset. -# Possibly snakeoil, but my hope is that most file I/O will end up in the ARC cache -# and not thrash the disks. -zfs set sync=disabled "${poudriere_dataset}/poudriere" +# Apply custom patches. +install_directory -m 0755 "$poudriere_patch_dir" +rm -f "${poudriere_patch_dir}/"*.patch +install_file -m 0644 \ + "${poudriere_patch_dir}/postgresql16-gssapi.patch" + +for patch in "${poudriere_patch_dir}/"*.patch; do + [ -f "$patch" ] || continue + patch -d "${poudriere_data_dir}/ports/latest" -u < "$patch" +done # For each specified FreeBSD version, build all packages. for version in $poudriere_versions; do diff --git a/scripts/hostclass/smtp_server/10-rspamd b/scripts/hostclass/smtp_server/10-rspamd index d104e9c..094dc8a 100644 --- a/scripts/hostclass/smtp_server/10-rspamd +++ b/scripts/hostclass/smtp_server/10-rspamd @@ -5,6 +5,7 @@ : ${rspamd_domain_whitelist:=''} : ${rspamd_port:='11334'} : ${rspamd_redis_maxmemory:='1g'} +: ${rspamd_admin_users:=''} : ${postfix_virtual_domains:="$email_domain"} postfix_user=postfix @@ -22,6 +23,7 @@ rspamd_redis_data_dir="${redis_data_dir}/rspamd" rspamd_bayes_redis_data_dir="${redis_data_dir}/rspamd-bayes" rspamd_tls_cert=/usr/local/etc/nginx/rspamd.crt rspamd_tls_key=/usr/local/etc/nginx/rspamd.key +nginx_keytab="${keytab_dir}/nginx.keytab" pkg install -y \ postfix \ @@ -85,9 +87,15 @@ pw groupmod "$redis_user" -m "$rspamd_user" # Generate nginx configuration. install_template -m 0644 \ /usr/local/etc/nginx/nginx.conf \ - /usr/local/etc/nginx/acme.conf \ /usr/local/etc/nginx/vhosts.conf +# Create HTTP service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" + +ktadd -k "$nginx_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$nginx_keytab" +chmod 640 "$nginx_keytab" + # Copy TLS certificate for nginx. install_certificate nginx "$rspamd_tls_cert" install_certificate_key nginx "$rspamd_tls_key" diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 6f891da..0d4830f 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -21,7 +21,6 @@ postfix_public_tls_cert="${acme_cert_dir}/postfix.crt" postfix_public_tls_key="${acme_cert_dir}/postfix.key" postfix_local_tls_cert="${postfix_conf_dir}/postfix.crt" postfix_local_tls_key="${postfix_conf_dir}/postfix.key" -postfix_dhparams="${postfix_conf_dir}/dhparams.pem" # Install packages. pkg install -y \ @@ -55,9 +54,6 @@ install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_ru install_certificate -m 0644 -o root -g "$postfix_user" postfix "$postfix_local_tls_cert" install_certificate_key -m 0640 -o root -g "$postfix_user" postfix "$postfix_local_tls_key" -# Generate dhparams. -[ -f "$postfix_dhparams" ] || openssl dhparam -out "$postfix_dhparams" 2048 - if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_file /usr/local/etc/sudoers.d/acme diff --git a/vars/hostclass/smtp_server b/vars/hostclass/smtp_server index 1e8838e..d68e28a 100644 --- a/vars/hostclass/smtp_server +++ b/vars/hostclass/smtp_server @@ -2,3 +2,5 @@ allowed_tcp_ports="ssh smtp submission ${rspamd_port} http https" postfix_mynetworks='127.0.0.1/8' +nginx_gssapi=true +nginx_acme=true diff --git a/vars/os/freebsd b/vars/os/freebsd index 308408b..8b0afb3 100644 --- a/vars/os/freebsd +++ b/vars/os/freebsd @@ -9,16 +9,22 @@ intel_epp=50 see_other_uids=0 export ASSUME_ALWAYS_YES=yes +acme_cert_dir=/usr/local/etc/ssl/acme acme_standalone_port=9080 acme_uid=169 acme_webroot=/usr/local/www/acme +apache_version=24 keytab_dir=/var/db/keytabs nfscbd_port=7745 +nginx_user=www nslcd_user=nslcd +php_version=82 +postgresql_version=16 python_version=311 saslauthd_runtime_dir=/var/run/saslauthd saslauthd_user=cyrus site_cacert_path=/usr/local/etc/ssl/certs/ca.crt +system_cacert_path=/etc/ssl/certs ssh_host_key_dir=/var/db/ssh # For 10 Gbit ethernet, bump up the TCP buffers. |