diff options
Diffstat (limited to 'files/usr/local/libexec')
3 files changed, 49 insertions, 17 deletions
diff --git a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server index c33b909..381032d 100644 --- a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server +++ b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server @@ -3,8 +3,7 @@ set -eu -o pipefail prog=$(basename "$(readlink -f "$0")") -usage="${prog} BLOCKLIST_DIR - Blocklist URLs are read from stdin." +usage="${prog} URL_FILE WHITELIST_FILE BLOCKLIST_DIR" die() { printf '%s: %s\n' "$prog" "$*" 1>&2 @@ -16,17 +15,41 @@ usage(){ exit 2 } -[ $# -eq 1 ] || usage -case $1 in +case ${1:-} in -h|--help) usage ;; esac -[ -d "$1" ] || die "not a directory: ${1}" +[ $# -eq 3 ] || usage -cd "$1" +url_file=$1 +whitelist_file=$2 +blocklist_dir=$3 +[ -d "$blocklist_dir" ] || die "not a directory: ${blocklist_dir}" + +cd "$blocklist_dir" + +# Delete any existing zone files. find . -maxdepth 1 -type f -exec rm {} + -while read -r name url; do - [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" -done +if grep -q '[^[:space:]]' "$whitelist_file"; then + # If the whitelist file is non empty, compute a regex. + while read -r pattern; do + [ -n "$pattern" ] || continue + whitelist_regex="${whitelist_regex:+"${whitelist_regex}|"}${pattern}" + done < "$whitelist_file" + + # For each blocklist url, download the blocklist and filter out the whitelist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL "$url" | grep -Ev "^(.*\\.)?(${whitelist_regex})[[:space:]]" > "${name}.zone" + done < "$url_file" +else + # If no whitelist configured, just download each blocklist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" + done < "$url_file" +fi + +# Try to reload unbound. +unbound_pidfile=$(/usr/local/sbin/unbound-checkconf -o pidfile /usr/local/etc/unbound/unbound.conf) +kill -HUP "$(cat "$unbound_pidfile")" ||: diff --git a/files/usr/local/libexec/nss-trust-root-ca.common b/files/usr/local/libexec/nss-trust-root-ca.common new file mode 100644 index 0000000..6a38a86 --- /dev/null +++ b/files/usr/local/libexec/nss-trust-root-ca.common @@ -0,0 +1,16 @@ +#!/bin/sh + +# Chromium no longer trusts the system certificate store. Instead, it uses the +# user's local NSS database, located at ~/.pki. +# +# This script adds our local root CA to the NSS DB, so that Chrome will trust it. + +cert_name="$(hostname -d) Root CA" +cert_path=/usr/local/etc/ssl/certs/ca.crt +nss_db_path="${HOME}/.pki/nssdb" + +mkdir -p "$nss_db_path" + +if ! certutil -d "sql:${nss_db_path}" -L -n "$cert_name" > /dev/null 2>&1; then + certutil -d "sql:${nss_db_path}" -A -t 'C,,' -n "$cert_name" -i "$cert_path" +fi diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common index a956d65..2d30d06 100644 --- a/files/usr/local/libexec/pam-create-local-homedir.common +++ b/files/usr/local/libexec/pam-create-local-homedir.common @@ -1,10 +1,3 @@ #!/bin/sh -set -e - -uid=$(id -u "$PAM_USER") - -if [ "$uid" -ge 1000 ]; then - install -m 0755 -d /usr/local/home - install -o "$uid" -g "$uid" -m 0700 -d "/usr/local/home/${PAM_USER}" -fi +install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/usr/local/home/${PAM_USER}" |