diff options
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/hostclass/asterisk_server | 7 | ||||
-rw-r--r-- | scripts/hostclass/bitwarden_server | 1 | ||||
-rw-r--r-- | scripts/hostclass/dav_server | 12 | ||||
-rw-r--r-- | scripts/hostclass/desktop | 17 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/90-idm | 5 | ||||
-rw-r--r-- | scripts/hostclass/nfs_server/10-nfs | 1 | ||||
-rw-r--r-- | scripts/hostclass/pkg_repository | 10 | ||||
-rw-r--r-- | scripts/hostclass/public_webserver | 6 | ||||
-rw-r--r-- | scripts/hostclass/smtp_server/20-postfix | 5 | ||||
-rw-r--r-- | scripts/hostclass/unifi_controller | 4 | ||||
-rw-r--r-- | scripts/hostclass/xmpp_server | 28 | ||||
-rw-r--r-- | scripts/hostname/desktop2 | 24 | ||||
-rw-r--r-- | scripts/hostname/nfs1/10-homedirs | 6 | ||||
-rw-r--r-- | scripts/hostname/nfs1/20-shares | 34 | ||||
-rw-r--r-- | scripts/hostname/nfs1/30-autofs | 10 | ||||
-rw-r--r-- | scripts/os/freebsd/10-bootloader | 2 | ||||
-rw-r--r-- | scripts/os/freebsd/50-idm | 8 | ||||
-rw-r--r-- | scripts/os/freebsd/80-microcode | 12 |
18 files changed, 136 insertions, 56 deletions
diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index dcd2675..30699d8 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -34,6 +34,8 @@ asterisk_public_tls_cert="${acme_cert_dir}/asterisk.crt" asterisk_public_tls_key="${acme_cert_dir}/asterisk.key" asterisk_conf_dir=/usr/local/etc/asterisk +asterisk_sound_dir=/usr/local/share/asterisk/sounds/en +asterisk_g722_tarball=https://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-g722-current.tar.gz asterisk_db_dir=/var/db/asterisk asterisk_user=asterisk @@ -50,6 +52,11 @@ zfs set \ "${state_dataset}/asterisk" install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir" +# Download G722 sounds. +if ! [ -f "${asterisk_sound_dir}/hello-world.g722" ]; then + curl -fL "$asterisk_g722_tarball" | tar xf - -C "$asterisk_sound_dir" +fi + # Generate asterisk configuration. install_file -m 0644 \ "${asterisk_conf_dir}/extensions.conf" \ diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server index ff67c3e..f300b0d 100644 --- a/scripts/hostclass/bitwarden_server +++ b/scripts/hostclass/bitwarden_server @@ -15,6 +15,7 @@ vaultwarden_client_keytab="${keytab_dir}/vaultwarden.client.keytab" pkg install -y \ vaultwarden \ + ca_root_nss \ nginx # Create vaultwarden principal and keytab. diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server index a69c072..e39b08c 100644 --- a/scripts/hostclass/dav_server +++ b/scripts/hostclass/dav_server @@ -9,6 +9,7 @@ : ${davical_branch:='master'} : ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'} : ${davical_awl_branch:='master'} +: ${davical_admins:=''} davical_dn="uid=${davical_username},${robots_basedn}" davical_repo_dir=/usr/local/www/davical @@ -105,6 +106,17 @@ if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then davical_psql -c "delete from usr where username = 'admin'" fi +if [ -n "$davical_admins" ]; then + # Note: This won't work until each admin in $davical_admins has logged in + # at least once. + davical_psql -c \ + "INSERT INTO role_member (user_no, role_no) + SELECT user_no, (SELECT role_no FROM roles WHERE role_name = 'Admin') + FROM usr + WHERE username in ('$(join "','" $davical_admins)') + ON CONFLICT DO NOTHING" +fi + # Copy TLS certificate for nginx. install_certificate nginx "$davical_https_cert" install_certificate_key nginx "$davical_https_key" diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index bddce05..629ebc0 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -27,13 +27,14 @@ set_loader_conf \ linux_load=YES \ linux64_load=YES +# Enable FUSE. +set_loader_conf fusefs_load=YES + # Install packages common to all DEs. pkg install -y $desktop_common_packages -# Install scripts for creating local (non-NFS) home directories. -install_file -m 0555 \ - /usr/local/libexec/pam-create-local-homedir \ - /etc/profile.d/local-homedir.sh +# Install profile script for improving experience on NFS homedirs. +install_file -m 0555 /etc/profile.d/local-homedir.sh # Create ZFS dataset for local homedirs. create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" @@ -66,6 +67,9 @@ service webcamd status || service webcamd start install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop install_file -m 0555 /usr/local/libexec/nss-trust-root-ca +# Install gajim desktop file. +install_file -m 0644 /usr/local/share/applications/gajim.desktop + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -97,6 +101,11 @@ case $desktop_type in /usr/local/etc/xdg/plasma-workspace/shutdown install_file -m 0555 /usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh + # Disable user switching + # Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452 + # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175 + install_file -m 0644 /usr/local/etc/xdg/kdeglobals + # Enable sddm. sysrc -v sddm_enable=YES ;; diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm index eadd621..260e52b 100644 --- a/scripts/hostclass/idm_server/90-idm +++ b/scripts/hostclass/idm_server/90-idm @@ -68,11 +68,12 @@ pkg install -y \ pam_mkhomedir # Configure PAM/NSS integration. +install_template -m 0644 \ + /etc/pam.d/login \ + /etc/pam.d/sshd install_file -m 0644 \ /etc/nsswitch.conf \ /etc/pam.d/system \ - /etc/pam.d/login \ - /etc/pam.d/sshd \ /etc/pam.d/sudo \ /etc/pam.d/su \ /etc/pam.d/other diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs index a775859..6ab8436 100644 --- a/scripts/hostclass/nfs_server/10-nfs +++ b/scripts/hostclass/nfs_server/10-nfs @@ -48,3 +48,4 @@ install_template -m 0644 /etc/exports for service in gssd nfsuserd mountd nfsd; do service "$service" status || service "$service" start done +service mountd reload diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 7044f96..86e6b2c 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -83,9 +83,11 @@ for version in $poudriere_versions; do abi="FreeBSD:${version%%.*}:$(uname -p)" [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version" - poudriere jail -u -j "$jail" - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm - poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere jail -u -j "$jail" + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y + poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest + poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest -y install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}" ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest" @@ -102,7 +104,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere" # Create cron job to update packages automatically. install_file -m 0555 /usr/local/libexec/poudriere-cron -install_file -m 0644 /etc/cron.d/poudriere +install_template -m 0644 /etc/cron.d/poudriere # Now that we have a valid repo, switch the pkg repo to the local filesystem. install_directory -m 0755 \ diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index 3877313..e92149f 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -20,8 +20,8 @@ zfs set \ "${state_dataset}/vhosts" # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf -install -Cv -m 0644 /dev/null /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart @@ -37,7 +37,7 @@ for certname in $acme_certs; do done # Now that we have the ACME certs, add the vhosts. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" service nginx restart # If any acmeproxy_domains were specified, setup the SFTP proxy. diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 68ac474..795e574 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -38,10 +38,10 @@ ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab" # Generate postfix configuration. install_template -m 0644 \ "${postfix_conf_dir}/main.cf" \ + "${postfix_conf_dir}/master.cf" \ "${postfix_conf_dir}/virtual_mailboxes.cf" \ "${postfix_conf_dir}/virtual_aliases.cf" \ /usr/local/lib/sasl2/smtpd.conf -install_file -m 0644 "${postfix_conf_dir}/master.cf" # Allow postfix to read the saslauthd socket. install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir" @@ -54,10 +54,9 @@ if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -c "$postfix_public_tls_cert" \ - -k "$postfix_public_tls_key" \ -g "$postfix_user" \ -r 'sudo service postfix reload' \ + postfix \ "$postfix_public_fqdn" fi diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller index 9fd161e..96558e1 100644 --- a/scripts/hostclass/unifi_controller +++ b/scripts/hostclass/unifi_controller @@ -33,6 +33,10 @@ service unifi status && service unifi stop [ -f "${unifi_home}/data/keystore" ] || install -Cv -o "$unifi_user" -g "$unifi_user" -m 0600 /dev/null "${unifi_home}/data/keystore" su -m "$unifi_user" -c "java -jar ${unifi_home}/lib/ace.jar import_key_cert ${unifi_https_key} ${unifi_https_cert} ${site_cacert_path}" +# Add root CA to java keystore. +keytool -list -cacerts -storepass changeit -alias "$site" \ + || keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias "$site" -file "$site_cacert_path" + # Disable analytics. install_directory -m 0640 -o "$unifi_user" -g "$unifi_user" \ "${unifi_home}/data/sites" \ diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server index 1889447..667014f 100644 --- a/scripts/hostclass/xmpp_server +++ b/scripts/hostclass/xmpp_server @@ -7,7 +7,7 @@ : ${prosody_admins:=''} : ${prosody_public_fqdn:="$fqdn"} : ${prosody_domains:="$email_domain"} -: ${prosody_ldap_passwd:='changeme'} +: ${prosody_ldap_password:='changeme'} : ${prosody_dbname:='prosody'} : ${prosody_dbhost:="$postgres_host"} : ${prosody_access_role:='xmpp-access'} @@ -24,10 +24,11 @@ prosody_dn="uid=${prosody_username},${robots_basedn}" prosody_local_user=prosody prosody_conf_dir=/usr/local/etc/prosody prosody_certs_dir="${prosody_conf_dir}/certs" -prosody_keytab="${keytab_dir}/prosody.keytab" +prosody_keytab="${keytab_dir}/prosody.client.keytab" prosody_roster_path="${prosody_conf_dir}/roster.ini" prosody_http_port=8080 -prosody_upload_dir=/var/db/prosody/http_upload +prosody_db_dir=/var/db/prosody +prosody_upload_dir="${prosody_db_dir}/http_upload" prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt" prosody_https_cert="${acme_cert_dir}/nginx.crt" @@ -42,10 +43,8 @@ pkg install -y \ nginx # Create ZFS dataset for HTTP upload files. -create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload" - -# Set ownership on http_upload directory. -install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir" +create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody" +install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir" # Create prosody user private group. ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF @@ -98,27 +97,28 @@ install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody # Configure automatic roster. install_file -m 0555 /usr/local/libexec/prosody-update-roster install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini" -su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}" +su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}" # Copy prosody crontab. install_template -m 0644 /etc/cron.d/prosody # Configure nginx. -install_template -m 0644 /usr/local/etc/nginx/nginx.conf +install_template -m 0644 "${nginx_conf_dir}/nginx.conf" +[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf" sysrc -v nginx_enable=YES service nginx restart +# Retrieve webserver certificate via ACME. install_template -m 0600 /usr/local/etc/sudoers.d/acme acme_install_certificate \ - -C "$prosody_https_cacert" \ - -c "$prosody_https_cert" \ - -k "$prosody_https_key" \ -g "$nginx_user" \ -r 'sudo service nginx reload' \ + nginx \ "$prosody_public_fqdn" -# Now that we have the ACME certs, add the nginx vhost. -install_template -m 0644 /usr/local/etc/nginx/vhosts.conf +# Now that we have the ACME certs, add the vhosts. +install_template -m 0644 "${nginx_conf_dir}/vhosts.conf" +service nginx restart # Enable and start daemons. sysrc -v prosody_enable=YES diff --git a/scripts/hostname/desktop2 b/scripts/hostname/desktop2 new file mode 100644 index 0000000..0e6e551 --- /dev/null +++ b/scripts/hostname/desktop2 @@ -0,0 +1,24 @@ +#!/bin/sh + +# This desktop has USB speakers and webcam USB microphone, so sndio can't +# use both at the same time. This creates a virtual device combining both +# of them into one virutal sound card. +# +# Because the virtual soundcard is installed to /dev/dsp, it will +# automatically be used as the default. + +playback_device=1 +recording_device=0 +samplerate=48000 +bits=16 +buffer_ms=25 +microphone_gain=50 + +pkg install -y virtual_oss +sysrc -v \ + virtual_oss_enable=YES \ + virtual_oss_dsp="-T /dev/sndstat -C 2 -c 2 -S -r ${samplerate} -b ${bits} -s ${buffer_ms}ms -O /dev/dsp${playback_device} -R /dev/dsp${recording_device} -d dsp -t vsdp.ctl" +service virtual_oss restart + +set_loader_conf "hint.pcm.${recording_device}.mic=${microphone_gain}" +set_loader_conf "hint.pcm.${playback_device}.pcm=100" diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs index 3a6d923..db0c1e0 100644 --- a/scripts/hostname/nfs1/10-homedirs +++ b/scripts/hostname/nfs1/10-homedirs @@ -1,8 +1,12 @@ #!/bin/sh -default_priv_quota=250G +default_priv_quota=50G default_pub_quota=10G +# Format: username:privquota:pubquota. For example: +# nfs_homedirs='joe:250G:10G jane:250G' +# nfs_groupdirs='sysadmins:250G doefamily:100G:10G' + # Create user home directories. for userquota in ${nfs_homedirs:-}; do user=$(echo "$userquota" | awk -F: '{print $1}') diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares index beb3b11..0dd6ddb 100644 --- a/scripts/hostname/nfs1/20-shares +++ b/scripts/hostname/nfs1/20-shares @@ -1,16 +1,22 @@ #!/bin/sh -# media/music -create_dataset -p "${nfs_dataset}/media/music" -zfs set \ - compression=off \ - com.sun:auto-snapshot:daily=true \ - com.sun:auto-snapshot:weekly=true \ - "${nfs_dataset}/media/music" -chgrp media-admin "${nfs_root}/media/music" -chmod 2770 "${nfs_root}/media/music" -set_facl "${nfs_root}/media/music" \ - group:media-admin:rwpDdaARWcs:fd:allow \ - group:media-admin:x:d:allow \ - group:media-access:raRcs:fd:allow \ - group:media-access:x:d:allow +media_access_group='media-access' +media_admin_group='media-admin' +media_shares='music shows movies audiobooks roms books scores isos' + +# media shares +for share in $media_shares; do + create_dataset -p "${nfs_dataset}/media/${share}" + zfs set \ + compression=off \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${nfs_dataset}/media/${share}" + chgrp "$media_admin_group" "${nfs_root}/media/${share}" + chmod 2770 "${nfs_root}/media/${share}" + set_facl "${nfs_root}/media/${share}" \ + "group:${media_admin_group}:rwpDdaARWcs:fd:allow" \ + "group:${media_admin_group}:x:d:allow" \ + "group:${media_access_group}:raRcs:fd:allow" \ + "group:${media_access_group}:x:d:allow" +done diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs index fe3a468..a7153d4 100644 --- a/scripts/hostname/nfs1/30-autofs +++ b/scripts/hostname/nfs1/30-autofs @@ -72,9 +72,11 @@ automountKey: /nfs/media automountInformation: auto_media ${nfs_mount_opts} EOF -# auto_media: music -ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF +# auto_media: music, movies, etc +for share in $media_shares; do + ldap_add "automountKey=${share},automountMapName=auto_media,${automount_basedn}" <<EOF objectClass: automount -automountKey: music -automountInformation: ${fqdn}:/media/music +automountKey: ${share} +automountInformation: ${fqdn}:/media/${share} EOF +done diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader index 3209927..a5c8908 100644 --- a/scripts/os/freebsd/10-bootloader +++ b/scripts/os/freebsd/10-bootloader @@ -11,7 +11,7 @@ install_file -m 0644 /etc/ttys kill -HUP 1 set_loader_conf \ - autoboot_delay=1 \ + autoboot_delay=3 \ beastie_disable=YES \ cc_htcp_load=YES \ kern.geom.label.disk_ident.enable=0 \ diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index 1585c6f..1e5e877 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -18,12 +18,16 @@ pkg install -y \ p5-Authen-SASL \ pam_mkhomedir +# Script to create /usr/local/home/${USER} on login. +install_file -m 0555 /usr/local/libexec/pam-create-local-homedir + # Configure PAM/NSS integration. +install_template -m 0644 \ + /etc/pam.d/login \ + /etc/pam.d/sshd install_file -m 0644 \ /etc/nsswitch.conf \ /etc/pam.d/system \ - /etc/pam.d/login \ - /etc/pam.d/sshd \ /etc/pam.d/sudo \ /etc/pam.d/su \ /etc/pam.d/other diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode index f9e213e..0d2a910 100644 --- a/scripts/os/freebsd/80-microcode +++ b/scripts/os/freebsd/80-microcode @@ -7,8 +7,12 @@ if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then return fi -pkg install -y cpu-microcode +if [ "${enable_microcode_updates:-}" = false ]; then + set_loader_conf cpu_microcode_load=NO +else + pkg install -y cpu-microcode -set_loader_conf \ - cpu_microcode_load=YES \ - cpu_microcode_name="/boot/firmware/${microcode_name}" + set_loader_conf \ + cpu_microcode_load=YES \ + cpu_microcode_name="/boot/firmware/${microcode_name}" +fi |