aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/hostclass')
-rw-r--r--scripts/hostclass/desktop66
-rw-r--r--scripts/hostclass/idm_server/10-slapd13
-rw-r--r--scripts/hostclass/idm_server/20-powerdns2
-rw-r--r--scripts/hostclass/idm_server/30-kdc41
-rw-r--r--scripts/hostclass/idm_server/40-unbound40
-rw-r--r--scripts/hostclass/idm_server/90-idm96
6 files changed, 242 insertions, 16 deletions
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
index 2a85f16..561fb8d 100644
--- a/scripts/hostclass/desktop
+++ b/scripts/hostclass/desktop
@@ -10,11 +10,13 @@ pkg install -y \
eclipse \
firefox \
git \
+ gnupg \
krb5 \
i3 \
libreoffice \
libva-intel-media-driver \
networkmgr \
+ password-store \
py${python_version}-pip \
stow \
terminus-font \
@@ -30,9 +32,11 @@ pkg install -y \
case $desktop_type in
i3)
pkg install \
+ dunst \
i3 \
i3lock \
- i3status
+ i3status \
+ profanity
;;
kde)
pkg install \
@@ -100,3 +104,63 @@ esac
# On some graphics cards, kern.vt.suspendswitch=1 (the default) breaks graphics
# acceleration after resuming from sleep.
set_sysctl kern.vt.suspendswitch="${vt_suspendswitch:-1}"
+
+# Fix xterm-256color termcap
+# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679
+cat <<'EOF' | tic -o /usr/local/share/site-terminfo -
+xterm-256color|xterm with 256 colors,
+ am, bce, ccc, km, mc5i, mir, msgr, npc, xenl,
+ colors#0x100, cols#80, it#8, lines#24, pairs#0x10000,
+ acsc=``aaffggiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~,
+ bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l,
+ clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r,
+ csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H,
+ cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C,
+ cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A,
+ cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m,
+ dl=\E[%p1%dM, dl1=\E[M, ech=\E[%p1%dX, ed=\E[J, el=\E[K,
+ el1=\E[1K, flash=\E[?5h$<100/>\E[?5l, home=\E[H,
+ hpa=\E[%i%p1%dG, ht=^I, hts=\EH, ich=\E[%p1%d@,
+ il=\E[%p1%dL, il1=\E[L, ind=\n, indn=\E[%p1%dS,
+ initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\,
+ invis=\E[8m, is2=\E[!p\E[?3;4l\E[4l\E>, kDC=\E[3;2~,
+ kEND=\E[1;2F, kHOM=\E[1;2H, kIC=\E[2;2~, kLFT=\E[1;2D,
+ kNXT=\E[6;2~, kPRV=\E[5;2~, kRIT=\E[1;2C, ka1=\EOw,
+ ka3=\EOy, kb2=\EOu, kbs=^?, kc1=\EOq, kc3=\EOs, kcbt=\E[Z,
+ kcub1=\EOD, kcud1=\EOB, kcuf1=\EOC, kcuu1=\EOA,
+ kdch1=\E[3~, kend=\EOF, kent=\EOM, kf1=\EOP, kf10=\E[21~,
+ kf11=\E[23~, kf12=\E[24~, kf13=\E[1;2P, kf14=\E[1;2Q,
+ kf15=\E[1;2R, kf16=\E[1;2S, kf17=\E[15;2~, kf18=\E[17;2~,
+ kf19=\E[18;2~, kf2=\EOQ, kf20=\E[19;2~, kf21=\E[20;2~,
+ kf22=\E[21;2~, kf23=\E[23;2~, kf24=\E[24;2~,
+ kf25=\E[1;5P, kf26=\E[1;5Q, kf27=\E[1;5R, kf28=\E[1;5S,
+ kf29=\E[15;5~, kf3=\EOR, kf30=\E[17;5~, kf31=\E[18;5~,
+ kf32=\E[19;5~, kf33=\E[20;5~, kf34=\E[21;5~,
+ kf35=\E[23;5~, kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q,
+ kf39=\E[1;6R, kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~,
+ kf42=\E[17;6~, kf43=\E[18;6~, kf44=\E[19;6~,
+ kf45=\E[20;6~, kf46=\E[21;6~, kf47=\E[23;6~,
+ kf48=\E[24;6~, kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q,
+ kf51=\E[1;3R, kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~,
+ kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~,
+ kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~,
+ kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~,
+ kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~,
+ kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~,
+ kri=\E[1;2A, mc0=\E[i, mc4=\E[4i, mc5=\E[5i, meml=\El,
+ memu=\Em, mgc=\E[?69l, nel=\EE, oc=\E]104\007,
+ op=\E[39;49m, rc=\E8, rep=%p1%c\E[%p2%{1}%-%db,
+ rev=\E[7m, ri=\EM, rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B,
+ rmam=\E[?7l, rmcup=\E[?1049l\E[23;0;0t, rmir=\E[4l,
+ rmkx=\E[?1l\E>, rmm=\E[?1034l, rmso=\E[27m, rmul=\E[24m,
+ rs1=\Ec\E]104\007, rs2=\E[!p\E[?3;4l\E[4l\E>, sc=\E7,
+ setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m,
+ setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m,
+ sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p5%t;2%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m,
+ sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h,
+ smcup=\E[?1049h\E[22;0;0t,
+ smglr=\E[?69h\E[%i%p1%d;%p2%ds, smir=\E[4h,
+ smkx=\E[?1h\E=, smm=\E[?1034h, smso=\E[7m, smul=\E[4m,
+ tbc=\E[3g, u6=\E[%i%d;%dR, u7=\E[6n,
+ u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd,
+EOF
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index dc52a58..204c405 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -10,10 +10,13 @@
: ${slapd_syncrepl_session_log:='1000'}
: ${slapd_syncrepl_cleanup_age:='7'}
: ${slapd_syncrepl_cleanup_interval:='1'}
+: ${slapd_admin_role:='role-ldap-admin'}
slapd_user=ldap
slapd_data_dir=/var/db/openldap-data
slapd_conf_dir=/usr/local/etc/openldap
+slapd_socket=/var/run/openldap/ldapi
+slapd_ldapi_uri="ldapi://$(echo "$slapd_socket" | sed 's|/|%2f|g')"
slapd_tls_cert="${slapd_conf_dir}/slapd.crt"
slapd_tls_key="${slapd_conf_dir}/slapd.key"
slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt"
@@ -72,8 +75,8 @@ fi
sysrc -v \
slapd_enable=YES \
slapd_cn_config=YES \
- slapd_flags="-h 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
- slapd_sockets="/var/run/openldap/ldapi" \
+ slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
+ slapd_sockets="$slapd_socket" \
slapd_krb5_ktname="$slapd_keytab"
service slapd restart
@@ -151,6 +154,12 @@ objectClass: organizationalUnit
ou: $(ldap_rdn_value "$roles_basedn")
EOF
+ # cn=role-ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com
+ ldap_add "cn=${slapd_admin_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${slapd_admin_role}
+EOF
+
# ou=automount,dc=example,dc=com
ldap_add "$automount_basedn" <<EOF
objectClass: organizationalUnit
diff --git a/scripts/hostclass/idm_server/20-powerdns b/scripts/hostclass/idm_server/20-powerdns
index 4d42ee9..26abe52 100644
--- a/scripts/hostclass/idm_server/20-powerdns
+++ b/scripts/hostclass/idm_server/20-powerdns
@@ -40,7 +40,7 @@ objectClass: domainRelatedObject
dc: ${domain}
${pdns_soa_record}
${pdns_ns_records}
-$(echo "$idm_server_list" | awk '{print "aRecord: "$2}')
+$(echo "$idm_server_list" | awk '{print "aRecord: "$3}')
associatedDomain: ${domain}
EOF
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc
index 4921688..abe040a 100644
--- a/scripts/hostclass/idm_server/30-kdc
+++ b/scripts/hostclass/idm_server/30-kdc
@@ -1,12 +1,43 @@
#!/bin/sh
+kdc_conf_dir=/usr/local/var/krb5kdc
+kdc_master_key_path="${kdc_conf_dir}/master_key"
+
+: ${kdc_max_life:='24h'}
+: ${kdc_max_renewable_life:='7d'}
+
# Install MIT kerberos.
pkg install -y krb5
+# Generate the system kerberos configuration.
+install_template -m 0644 /etc/krb5.conf
+ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf
+
+# Generate KDC configuration files.
+install_template -m 0644 \
+ "${kdc_conf_dir}/kdc.conf" \
+ "${kdc_conf_dir}/kadm5.acl"
+
+# If the realm does not exist in LDAP, create it. Otherwise, stash the master key.
+if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then
+ kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s
+elif ! [ -f "$kdc_master_key_path" ]; then
+ kdb5_util -P "$kdc_master_key" stash
+fi
+
+# Start the KDC and kadmind.
+sysrc -v \
+ kdc_program=/usr/local/sbin/krb5kdc \
+ kadmind_program=/usr/local/sbin/kadmind \
+ kdc_flags="" \
+ kdc_enable=YES \
+ kadmind_enable=YES
+
+service kdc restart
+service kadmind restart
+
+# Create the boxconf administrative user.
if is_primary_server; then
- # ou=kdc,dc=example,dc=com
- ldap_add "$kdc_basedn" <<EOF
-objectClass: organizationalUnit
-ou: $(ldap_rdn_value "$dns_basedn")
-EOF
+ kadmin.local get_principal -terse "$boxconf_username" \
+ || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username"
fi
diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound
new file mode 100644
index 0000000..39f1317
--- /dev/null
+++ b/scripts/hostclass/idm_server/40-unbound
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+unbound_user=unbound
+unbound_conf_dir=/usr/local/etc/unbound
+unbound_blocklist_dir="${unbound_conf_dir}/blocklists"
+unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls"
+
+: ${unbound_blocklist_urls:=''}
+: ${unbound_cache_max_negative_ttl:='60'}
+: ${unbound_rrset_cache_size:='104857600'} # 100 MB
+: ${unbound_msg_cache_size:='52428800'} # 50 MB
+: ${unbound_slabs:='2'}
+: ${unbound_insecure_domains:=''}
+: ${unbound_local_zones:=''}
+: ${unbound_local_data:=''}
+: ${unbound_blocklists:=''}
+: ${unbound_threads:="$nproc"}
+
+# Install unbound recursive resolver.
+pkg install -y unbound
+
+# Generate unbound configuration.
+install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir"
+install_template -m 0644 "${unbound_conf_dir}/unbound.conf"
+
+# Download blocklists.
+echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file"
+install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists
+su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}"
+
+# Enable and start unbound.
+sysrc -v unbound_enable=YES
+service unbound restart
+
+# Now we are ready to us unbound as the local resolver.
+install_template -m 0644 /etc/resolv.conf
+
+# Update blocklists with a cron job.
+echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \
+ | tee /etc/cron.d/idm-update-unbound-blocklists
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 7881f14..0a28491 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -1,9 +1,91 @@
#!/bin/sh
-# Create host object for this server
-# Create ldap service principal for this server
-# Create A record
-# Create PTR record
-# Create boxconf user
-# Create sudo rules
-# Create admin group
+# Create host object.
+ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+objectClass: device
+objectClass: domainRelatedObject
+objectClass: ldapPublicKey
+cn: ${BOXCONF_HOSTNAME}
+associatedDomain: ${fqdn}
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Update attributes that may have changed.
+ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
+replace: sshPublicKey
+$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
+-
+replace: description
+description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
+EOF
+
+# Create A record.
+ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+dc: ${BOXCONF_HOSTNAME}
+aRecord: ${BOXCONF_DEFAULT_IPV4}
+associatedDomain: ${fqdn}
+EOF
+
+# Create PTR record.
+rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
+ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+dc: ${rdns%%.*}
+pTRRecord: ${fqdn}
+associatedDomain: ${rdns}
+EOF
+
+# Create host principal.
+kadmin.local get_principal -terse "host/${fqdn}" \
+ || kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
+
+# Create ldap service principal.
+kadmin.local get_principal -terse "ldap/${fqdn}" \
+ || kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"
+
+# Create state dataset to persist keytabs across OS rebuilds.
+create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
+
+# Export host keytab.
+[ -f "${keytab_dir}/host.keytab" ] || kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}"
+ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
+
+# Export slapd keytab.
+[ -f "$slapd_keytab" ] || kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}"
+chown "$slapd_user" "$slapd_keytab"
+
+# Install PAM/NSS integration packages.
+pkg install -y \
+ nss-pam-ldapd-sasl \
+ pam_krb5 \
+ perl5 \
+ p5-perl-ldap \
+ p5-Authen-SASL
+
+# Configure PAM/NSS integration.
+install_file -m 0644 \
+ /etc/nsswitch.conf \
+ /etc/pam.d/sshd
+
+install_template -m 0644 \
+ /usr/local/etc/nslcd.conf \
+ /etc/nscd.conf
+
+sysrc -v \
+ nslcd_enable=YES \
+ nscd_enable=YES
+
+service nslcd restart
+service nscd restart
+
+# Create ldap.conf symlink.
+ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf
+
+# Copy IDM helper scripts for SSH.
+install_file -m 0555 \
+ /usr/local/libexec/idm-ssh-known-hosts \
+ /usr/local/libexec/idm-ssh-authorized-keys