diff options
Diffstat (limited to 'scripts/hostclass')
-rw-r--r-- | scripts/hostclass/desktop | 66 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/10-slapd | 13 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/20-powerdns | 2 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/30-kdc | 41 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/40-unbound | 40 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/90-idm | 96 |
6 files changed, 242 insertions, 16 deletions
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index 2a85f16..561fb8d 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -10,11 +10,13 @@ pkg install -y \ eclipse \ firefox \ git \ + gnupg \ krb5 \ i3 \ libreoffice \ libva-intel-media-driver \ networkmgr \ + password-store \ py${python_version}-pip \ stow \ terminus-font \ @@ -30,9 +32,11 @@ pkg install -y \ case $desktop_type in i3) pkg install \ + dunst \ i3 \ i3lock \ - i3status + i3status \ + profanity ;; kde) pkg install \ @@ -100,3 +104,63 @@ esac # On some graphics cards, kern.vt.suspendswitch=1 (the default) breaks graphics # acceleration after resuming from sleep. set_sysctl kern.vt.suspendswitch="${vt_suspendswitch:-1}" + +# Fix xterm-256color termcap +# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280679 +cat <<'EOF' | tic -o /usr/local/share/site-terminfo - +xterm-256color|xterm with 256 colors, + am, bce, ccc, km, mc5i, mir, msgr, npc, xenl, + colors#0x100, cols#80, it#8, lines#24, pairs#0x10000, + acsc=``aaffggiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~, + bel=^G, blink=\E[5m, bold=\E[1m, cbt=\E[Z, civis=\E[?25l, + clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=\r, + csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H, + cud=\E[%p1%dB, cud1=\n, cuf=\E[%p1%dC, cuf1=\E[C, + cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A, + cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m, + dl=\E[%p1%dM, dl1=\E[M, ech=\E[%p1%dX, ed=\E[J, el=\E[K, + el1=\E[1K, flash=\E[?5h$<100/>\E[?5l, home=\E[H, + hpa=\E[%i%p1%dG, ht=^I, hts=\EH, ich=\E[%p1%d@, + il=\E[%p1%dL, il1=\E[L, ind=\n, indn=\E[%p1%dS, + initc=\E]4;%p1%d;rgb:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\, + invis=\E[8m, is2=\E[!p\E[?3;4l\E[4l\E>, kDC=\E[3;2~, + kEND=\E[1;2F, kHOM=\E[1;2H, kIC=\E[2;2~, kLFT=\E[1;2D, + kNXT=\E[6;2~, kPRV=\E[5;2~, kRIT=\E[1;2C, ka1=\EOw, + ka3=\EOy, kb2=\EOu, kbs=^?, kc1=\EOq, kc3=\EOs, kcbt=\E[Z, + kcub1=\EOD, kcud1=\EOB, kcuf1=\EOC, kcuu1=\EOA, + kdch1=\E[3~, kend=\EOF, kent=\EOM, kf1=\EOP, kf10=\E[21~, + kf11=\E[23~, kf12=\E[24~, kf13=\E[1;2P, kf14=\E[1;2Q, + kf15=\E[1;2R, kf16=\E[1;2S, kf17=\E[15;2~, kf18=\E[17;2~, + kf19=\E[18;2~, kf2=\EOQ, kf20=\E[19;2~, kf21=\E[20;2~, + kf22=\E[21;2~, kf23=\E[23;2~, kf24=\E[24;2~, + kf25=\E[1;5P, kf26=\E[1;5Q, kf27=\E[1;5R, kf28=\E[1;5S, + kf29=\E[15;5~, kf3=\EOR, kf30=\E[17;5~, kf31=\E[18;5~, + kf32=\E[19;5~, kf33=\E[20;5~, kf34=\E[21;5~, + kf35=\E[23;5~, kf36=\E[24;5~, kf37=\E[1;6P, kf38=\E[1;6Q, + kf39=\E[1;6R, kf4=\EOS, kf40=\E[1;6S, kf41=\E[15;6~, + kf42=\E[17;6~, kf43=\E[18;6~, kf44=\E[19;6~, + kf45=\E[20;6~, kf46=\E[21;6~, kf47=\E[23;6~, + kf48=\E[24;6~, kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, + kf51=\E[1;3R, kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~, + kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~, + kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~, + kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~, + kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~, + kind=\E[1;2B, kmous=\E[<, knp=\E[6~, kpp=\E[5~, + kri=\E[1;2A, mc0=\E[i, mc4=\E[4i, mc5=\E[5i, meml=\El, + memu=\Em, mgc=\E[?69l, nel=\EE, oc=\E]104\007, + op=\E[39;49m, rc=\E8, rep=%p1%c\E[%p2%{1}%-%db, + rev=\E[7m, ri=\EM, rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, + rmam=\E[?7l, rmcup=\E[?1049l\E[23;0;0t, rmir=\E[4l, + rmkx=\E[?1l\E>, rmm=\E[?1034l, rmso=\E[27m, rmul=\E[24m, + rs1=\Ec\E]104\007, rs2=\E[!p\E[?3;4l\E[4l\E>, sc=\E7, + setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m, + setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m, + sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p5%t;2%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m, + sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h, + smcup=\E[?1049h\E[22;0;0t, + smglr=\E[?69h\E[%i%p1%d;%p2%ds, smir=\E[4h, + smkx=\E[?1h\E=, smm=\E[?1034h, smso=\E[7m, smul=\E[4m, + tbc=\E[3g, u6=\E[%i%d;%dR, u7=\E[6n, + u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd, +EOF diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd index dc52a58..204c405 100644 --- a/scripts/hostclass/idm_server/10-slapd +++ b/scripts/hostclass/idm_server/10-slapd @@ -10,10 +10,13 @@ : ${slapd_syncrepl_session_log:='1000'} : ${slapd_syncrepl_cleanup_age:='7'} : ${slapd_syncrepl_cleanup_interval:='1'} +: ${slapd_admin_role:='role-ldap-admin'} slapd_user=ldap slapd_data_dir=/var/db/openldap-data slapd_conf_dir=/usr/local/etc/openldap +slapd_socket=/var/run/openldap/ldapi +slapd_ldapi_uri="ldapi://$(echo "$slapd_socket" | sed 's|/|%2f|g')" slapd_tls_cert="${slapd_conf_dir}/slapd.crt" slapd_tls_key="${slapd_conf_dir}/slapd.key" slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt" @@ -72,8 +75,8 @@ fi sysrc -v \ slapd_enable=YES \ slapd_cn_config=YES \ - slapd_flags="-h 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \ - slapd_sockets="/var/run/openldap/ldapi" \ + slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \ + slapd_sockets="$slapd_socket" \ slapd_krb5_ktname="$slapd_keytab" service slapd restart @@ -151,6 +154,12 @@ objectClass: organizationalUnit ou: $(ldap_rdn_value "$roles_basedn") EOF + # cn=role-ldap-admin,ou=roles,ou=groups,ou=accounts,dc=example,dc=com + ldap_add "cn=${slapd_admin_role},${roles_basedn}" <<EOF +objectClass: groupOfMembers +cn: ${slapd_admin_role} +EOF + # ou=automount,dc=example,dc=com ldap_add "$automount_basedn" <<EOF objectClass: organizationalUnit diff --git a/scripts/hostclass/idm_server/20-powerdns b/scripts/hostclass/idm_server/20-powerdns index 4d42ee9..26abe52 100644 --- a/scripts/hostclass/idm_server/20-powerdns +++ b/scripts/hostclass/idm_server/20-powerdns @@ -40,7 +40,7 @@ objectClass: domainRelatedObject dc: ${domain} ${pdns_soa_record} ${pdns_ns_records} -$(echo "$idm_server_list" | awk '{print "aRecord: "$2}') +$(echo "$idm_server_list" | awk '{print "aRecord: "$3}') associatedDomain: ${domain} EOF diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc index 4921688..abe040a 100644 --- a/scripts/hostclass/idm_server/30-kdc +++ b/scripts/hostclass/idm_server/30-kdc @@ -1,12 +1,43 @@ #!/bin/sh +kdc_conf_dir=/usr/local/var/krb5kdc +kdc_master_key_path="${kdc_conf_dir}/master_key" + +: ${kdc_max_life:='24h'} +: ${kdc_max_renewable_life:='7d'} + # Install MIT kerberos. pkg install -y krb5 +# Generate the system kerberos configuration. +install_template -m 0644 /etc/krb5.conf +ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf + +# Generate KDC configuration files. +install_template -m 0644 \ + "${kdc_conf_dir}/kdc.conf" \ + "${kdc_conf_dir}/kadm5.acl" + +# If the realm does not exist in LDAP, create it. Otherwise, stash the master key. +if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then + kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s +elif ! [ -f "$kdc_master_key_path" ]; then + kdb5_util -P "$kdc_master_key" stash +fi + +# Start the KDC and kadmind. +sysrc -v \ + kdc_program=/usr/local/sbin/krb5kdc \ + kadmind_program=/usr/local/sbin/kadmind \ + kdc_flags="" \ + kdc_enable=YES \ + kadmind_enable=YES + +service kdc restart +service kadmind restart + +# Create the boxconf administrative user. if is_primary_server; then - # ou=kdc,dc=example,dc=com - ldap_add "$kdc_basedn" <<EOF -objectClass: organizationalUnit -ou: $(ldap_rdn_value "$dns_basedn") -EOF + kadmin.local get_principal -terse "$boxconf_username" \ + || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username" fi diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound new file mode 100644 index 0000000..39f1317 --- /dev/null +++ b/scripts/hostclass/idm_server/40-unbound @@ -0,0 +1,40 @@ +#!/bin/sh + +unbound_user=unbound +unbound_conf_dir=/usr/local/etc/unbound +unbound_blocklist_dir="${unbound_conf_dir}/blocklists" +unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls" + +: ${unbound_blocklist_urls:=''} +: ${unbound_cache_max_negative_ttl:='60'} +: ${unbound_rrset_cache_size:='104857600'} # 100 MB +: ${unbound_msg_cache_size:='52428800'} # 50 MB +: ${unbound_slabs:='2'} +: ${unbound_insecure_domains:=''} +: ${unbound_local_zones:=''} +: ${unbound_local_data:=''} +: ${unbound_blocklists:=''} +: ${unbound_threads:="$nproc"} + +# Install unbound recursive resolver. +pkg install -y unbound + +# Generate unbound configuration. +install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir" +install_template -m 0644 "${unbound_conf_dir}/unbound.conf" + +# Download blocklists. +echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file" +install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists +su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}" + +# Enable and start unbound. +sysrc -v unbound_enable=YES +service unbound restart + +# Now we are ready to us unbound as the local resolver. +install_template -m 0644 /etc/resolv.conf + +# Update blocklists with a cron job. +echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \ + | tee /etc/cron.d/idm-update-unbound-blocklists diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm index 7881f14..0a28491 100644 --- a/scripts/hostclass/idm_server/90-idm +++ b/scripts/hostclass/idm_server/90-idm @@ -1,9 +1,91 @@ #!/bin/sh -# Create host object for this server -# Create ldap service principal for this server -# Create A record -# Create PTR record -# Create boxconf user -# Create sudo rules -# Create admin group +# Create host object. +ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF +objectClass: device +objectClass: domainRelatedObject +objectClass: ldapPublicKey +cn: ${BOXCONF_HOSTNAME} +associatedDomain: ${fqdn} +$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /') +description: $(uname -mrs) ${BOXCONF_HOSTCLASS} +EOF + +# Update attributes that may have changed. +ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF +replace: sshPublicKey +$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /') +- +replace: description +description: $(uname -mrs) ${BOXCONF_HOSTCLASS} +EOF + +# Create A record. +ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF +objectClass: dNSDomain +objectClass: domainRelatedObject +dc: ${BOXCONF_HOSTNAME} +aRecord: ${BOXCONF_DEFAULT_IPV4} +associatedDomain: ${fqdn} +EOF + +# Create PTR record. +rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4") +ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF +objectClass: dNSDomain2 +objectClass: domainRelatedObject +dc: ${rdns%%.*} +pTRRecord: ${fqdn} +associatedDomain: ${rdns} +EOF + +# Create host principal. +kadmin.local get_principal -terse "host/${fqdn}" \ + || kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}" + +# Create ldap service principal. +kadmin.local get_principal -terse "ldap/${fqdn}" \ + || kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}" + +# Create state dataset to persist keytabs across OS rebuilds. +create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs" + +# Export host keytab. +[ -f "${keytab_dir}/host.keytab" ] || kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}" +ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab + +# Export slapd keytab. +[ -f "$slapd_keytab" ] || kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}" +chown "$slapd_user" "$slapd_keytab" + +# Install PAM/NSS integration packages. +pkg install -y \ + nss-pam-ldapd-sasl \ + pam_krb5 \ + perl5 \ + p5-perl-ldap \ + p5-Authen-SASL + +# Configure PAM/NSS integration. +install_file -m 0644 \ + /etc/nsswitch.conf \ + /etc/pam.d/sshd + +install_template -m 0644 \ + /usr/local/etc/nslcd.conf \ + /etc/nscd.conf + +sysrc -v \ + nslcd_enable=YES \ + nscd_enable=YES + +service nslcd restart +service nscd restart + +# Create ldap.conf symlink. +ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf + +# Copy IDM helper scripts for SSH. +install_file -m 0555 \ + /usr/local/libexec/idm-ssh-known-hosts \ + /usr/local/libexec/idm-ssh-authorized-keys |