aboutsummaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/hostclass/asterisk_server7
-rw-r--r--scripts/hostclass/bitwarden_server1
-rw-r--r--scripts/hostclass/dav_server12
-rw-r--r--scripts/hostclass/desktop17
-rw-r--r--scripts/hostclass/idm_server/90-idm5
-rw-r--r--scripts/hostclass/nfs_server/10-nfs1
-rw-r--r--scripts/hostclass/pkg_repository10
-rw-r--r--scripts/hostclass/public_webserver6
-rw-r--r--scripts/hostclass/smtp_server/20-postfix5
-rw-r--r--scripts/hostclass/unifi_controller4
-rw-r--r--scripts/hostclass/xmpp_server28
-rw-r--r--scripts/hostname/desktop224
-rw-r--r--scripts/hostname/nfs1/10-homedirs6
-rw-r--r--scripts/hostname/nfs1/20-shares34
-rw-r--r--scripts/hostname/nfs1/30-autofs10
-rw-r--r--scripts/os/freebsd/10-bootloader2
-rw-r--r--scripts/os/freebsd/50-idm8
-rw-r--r--scripts/os/freebsd/80-microcode12
18 files changed, 136 insertions, 56 deletions
diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server
index dcd2675..30699d8 100644
--- a/scripts/hostclass/asterisk_server
+++ b/scripts/hostclass/asterisk_server
@@ -34,6 +34,8 @@
asterisk_public_tls_cert="${acme_cert_dir}/asterisk.crt"
asterisk_public_tls_key="${acme_cert_dir}/asterisk.key"
asterisk_conf_dir=/usr/local/etc/asterisk
+asterisk_sound_dir=/usr/local/share/asterisk/sounds/en
+asterisk_g722_tarball=https://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-g722-current.tar.gz
asterisk_db_dir=/var/db/asterisk
asterisk_user=asterisk
@@ -50,6 +52,11 @@ zfs set \
"${state_dataset}/asterisk"
install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir"
+# Download G722 sounds.
+if ! [ -f "${asterisk_sound_dir}/hello-world.g722" ]; then
+ curl -fL "$asterisk_g722_tarball" | tar xf - -C "$asterisk_sound_dir"
+fi
+
# Generate asterisk configuration.
install_file -m 0644 \
"${asterisk_conf_dir}/extensions.conf" \
diff --git a/scripts/hostclass/bitwarden_server b/scripts/hostclass/bitwarden_server
index ff67c3e..f300b0d 100644
--- a/scripts/hostclass/bitwarden_server
+++ b/scripts/hostclass/bitwarden_server
@@ -15,6 +15,7 @@ vaultwarden_client_keytab="${keytab_dir}/vaultwarden.client.keytab"
pkg install -y \
vaultwarden \
+ ca_root_nss \
nginx
# Create vaultwarden principal and keytab.
diff --git a/scripts/hostclass/dav_server b/scripts/hostclass/dav_server
index a69c072..e39b08c 100644
--- a/scripts/hostclass/dav_server
+++ b/scripts/hostclass/dav_server
@@ -9,6 +9,7 @@
: ${davical_branch:='master'}
: ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'}
: ${davical_awl_branch:='master'}
+: ${davical_admins:=''}
davical_dn="uid=${davical_username},${robots_basedn}"
davical_repo_dir=/usr/local/www/davical
@@ -105,6 +106,17 @@ if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then
davical_psql -c "delete from usr where username = 'admin'"
fi
+if [ -n "$davical_admins" ]; then
+ # Note: This won't work until each admin in $davical_admins has logged in
+ # at least once.
+ davical_psql -c \
+ "INSERT INTO role_member (user_no, role_no)
+ SELECT user_no, (SELECT role_no FROM roles WHERE role_name = 'Admin')
+ FROM usr
+ WHERE username in ('$(join "','" $davical_admins)')
+ ON CONFLICT DO NOTHING"
+fi
+
# Copy TLS certificate for nginx.
install_certificate nginx "$davical_https_cert"
install_certificate_key nginx "$davical_https_key"
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
index bddce05..629ebc0 100644
--- a/scripts/hostclass/desktop
+++ b/scripts/hostclass/desktop
@@ -27,13 +27,14 @@ set_loader_conf \
linux_load=YES \
linux64_load=YES
+# Enable FUSE.
+set_loader_conf fusefs_load=YES
+
# Install packages common to all DEs.
pkg install -y $desktop_common_packages
-# Install scripts for creating local (non-NFS) home directories.
-install_file -m 0555 \
- /usr/local/libexec/pam-create-local-homedir \
- /etc/profile.d/local-homedir.sh
+# Install profile script for improving experience on NFS homedirs.
+install_file -m 0555 /etc/profile.d/local-homedir.sh
# Create ZFS dataset for local homedirs.
create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home"
@@ -66,6 +67,9 @@ service webcamd status || service webcamd start
install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop
install_file -m 0555 /usr/local/libexec/nss-trust-root-ca
+# Install gajim desktop file.
+install_file -m 0644 /usr/local/share/applications/gajim.desktop
+
case $desktop_type in
i3)
pkg install -y $desktop_i3_packages
@@ -97,6 +101,11 @@ case $desktop_type in
/usr/local/etc/xdg/plasma-workspace/shutdown
install_file -m 0555 /usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh
+ # Disable user switching
+ # Broken with consolekit: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221452
+ # VT switch causes loss of graphics acceleration: https://github.com/freebsd/drm-kmod/issues/175
+ install_file -m 0644 /usr/local/etc/xdg/kdeglobals
+
# Enable sddm.
sysrc -v sddm_enable=YES
;;
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index eadd621..260e52b 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -68,11 +68,12 @@ pkg install -y \
pam_mkhomedir
# Configure PAM/NSS integration.
+install_template -m 0644 \
+ /etc/pam.d/login \
+ /etc/pam.d/sshd
install_file -m 0644 \
/etc/nsswitch.conf \
/etc/pam.d/system \
- /etc/pam.d/login \
- /etc/pam.d/sshd \
/etc/pam.d/sudo \
/etc/pam.d/su \
/etc/pam.d/other
diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs
index a775859..6ab8436 100644
--- a/scripts/hostclass/nfs_server/10-nfs
+++ b/scripts/hostclass/nfs_server/10-nfs
@@ -48,3 +48,4 @@ install_template -m 0644 /etc/exports
for service in gssd nfsuserd mountd nfsd; do
service "$service" status || service "$service" start
done
+service mountd reload
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository
index 7044f96..86e6b2c 100644
--- a/scripts/hostclass/pkg_repository
+++ b/scripts/hostclass/pkg_repository
@@ -83,9 +83,11 @@ for version in $poudriere_versions; do
abi="FreeBSD:${version%%.*}:$(uname -p)"
[ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version"
- poudriere jail -u -j "$jail"
- poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm
- poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest
+ poudriere jail -u -j "$jail"
+ poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm
+ poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm -y
+ poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest
+ poudriere pkgclean -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest -y
install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}"
ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest"
@@ -102,7 +104,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere"
# Create cron job to update packages automatically.
install_file -m 0555 /usr/local/libexec/poudriere-cron
-install_file -m 0644 /etc/cron.d/poudriere
+install_template -m 0644 /etc/cron.d/poudriere
# Now that we have a valid repo, switch the pkg repo to the local filesystem.
install_directory -m 0755 \
diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver
index 3877313..e92149f 100644
--- a/scripts/hostclass/public_webserver
+++ b/scripts/hostclass/public_webserver
@@ -20,8 +20,8 @@ zfs set \
"${state_dataset}/vhosts"
# Configure nginx.
-install_template -m 0644 /usr/local/etc/nginx/nginx.conf
-install -Cv -m 0644 /dev/null /usr/local/etc/nginx/vhosts.conf
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
sysrc -v nginx_enable=YES
service nginx restart
@@ -37,7 +37,7 @@ for certname in $acme_certs; do
done
# Now that we have the ACME certs, add the vhosts.
-install_template -m 0644 /usr/local/etc/nginx/vhosts.conf
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
service nginx restart
# If any acmeproxy_domains were specified, setup the SFTP proxy.
diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix
index 68ac474..795e574 100644
--- a/scripts/hostclass/smtp_server/20-postfix
+++ b/scripts/hostclass/smtp_server/20-postfix
@@ -38,10 +38,10 @@ ln -snfv "$postfix_keytab" "/var/krb5/user/${postfix_uid}/client.keytab"
# Generate postfix configuration.
install_template -m 0644 \
"${postfix_conf_dir}/main.cf" \
+ "${postfix_conf_dir}/master.cf" \
"${postfix_conf_dir}/virtual_mailboxes.cf" \
"${postfix_conf_dir}/virtual_aliases.cf" \
/usr/local/lib/sasl2/smtpd.conf
-install_file -m 0644 "${postfix_conf_dir}/master.cf"
# Allow postfix to read the saslauthd socket.
install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_runtime_dir"
@@ -54,10 +54,9 @@ if [ "$postfix_public_fqdn" != "$fqdn" ]; then
# Acquire public TLS certificate.
install_template -m 0600 /usr/local/etc/sudoers.d/acme
acme_install_certificate \
- -c "$postfix_public_tls_cert" \
- -k "$postfix_public_tls_key" \
-g "$postfix_user" \
-r 'sudo service postfix reload' \
+ postfix \
"$postfix_public_fqdn"
fi
diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller
index 9fd161e..96558e1 100644
--- a/scripts/hostclass/unifi_controller
+++ b/scripts/hostclass/unifi_controller
@@ -33,6 +33,10 @@ service unifi status && service unifi stop
[ -f "${unifi_home}/data/keystore" ] || install -Cv -o "$unifi_user" -g "$unifi_user" -m 0600 /dev/null "${unifi_home}/data/keystore"
su -m "$unifi_user" -c "java -jar ${unifi_home}/lib/ace.jar import_key_cert ${unifi_https_key} ${unifi_https_cert} ${site_cacert_path}"
+# Add root CA to java keystore.
+keytool -list -cacerts -storepass changeit -alias "$site" \
+ || keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias "$site" -file "$site_cacert_path"
+
# Disable analytics.
install_directory -m 0640 -o "$unifi_user" -g "$unifi_user" \
"${unifi_home}/data/sites" \
diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server
index 1889447..667014f 100644
--- a/scripts/hostclass/xmpp_server
+++ b/scripts/hostclass/xmpp_server
@@ -7,7 +7,7 @@
: ${prosody_admins:=''}
: ${prosody_public_fqdn:="$fqdn"}
: ${prosody_domains:="$email_domain"}
-: ${prosody_ldap_passwd:='changeme'}
+: ${prosody_ldap_password:='changeme'}
: ${prosody_dbname:='prosody'}
: ${prosody_dbhost:="$postgres_host"}
: ${prosody_access_role:='xmpp-access'}
@@ -24,10 +24,11 @@ prosody_dn="uid=${prosody_username},${robots_basedn}"
prosody_local_user=prosody
prosody_conf_dir=/usr/local/etc/prosody
prosody_certs_dir="${prosody_conf_dir}/certs"
-prosody_keytab="${keytab_dir}/prosody.keytab"
+prosody_keytab="${keytab_dir}/prosody.client.keytab"
prosody_roster_path="${prosody_conf_dir}/roster.ini"
prosody_http_port=8080
-prosody_upload_dir=/var/db/prosody/http_upload
+prosody_db_dir=/var/db/prosody
+prosody_upload_dir="${prosody_db_dir}/http_upload"
prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
prosody_https_cert="${acme_cert_dir}/nginx.crt"
@@ -42,10 +43,8 @@ pkg install -y \
nginx
# Create ZFS dataset for HTTP upload files.
-create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload"
-
-# Set ownership on http_upload directory.
-install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir"
+create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
+install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"
# Create prosody user private group.
ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
@@ -98,27 +97,28 @@ install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody
# Configure automatic roster.
install_file -m 0555 /usr/local/libexec/prosody-update-roster
install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
-su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}"
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"
# Copy prosody crontab.
install_template -m 0644 /etc/cron.d/prosody
# Configure nginx.
-install_template -m 0644 /usr/local/etc/nginx/nginx.conf
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
sysrc -v nginx_enable=YES
service nginx restart
+# Retrieve webserver certificate via ACME.
install_template -m 0600 /usr/local/etc/sudoers.d/acme
acme_install_certificate \
- -C "$prosody_https_cacert" \
- -c "$prosody_https_cert" \
- -k "$prosody_https_key" \
-g "$nginx_user" \
-r 'sudo service nginx reload' \
+ nginx \
"$prosody_public_fqdn"
-# Now that we have the ACME certs, add the nginx vhost.
-install_template -m 0644 /usr/local/etc/nginx/vhosts.conf
+# Now that we have the ACME certs, add the vhosts.
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
+service nginx restart
# Enable and start daemons.
sysrc -v prosody_enable=YES
diff --git a/scripts/hostname/desktop2 b/scripts/hostname/desktop2
new file mode 100644
index 0000000..0e6e551
--- /dev/null
+++ b/scripts/hostname/desktop2
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# This desktop has USB speakers and webcam USB microphone, so sndio can't
+# use both at the same time. This creates a virtual device combining both
+# of them into one virutal sound card.
+#
+# Because the virtual soundcard is installed to /dev/dsp, it will
+# automatically be used as the default.
+
+playback_device=1
+recording_device=0
+samplerate=48000
+bits=16
+buffer_ms=25
+microphone_gain=50
+
+pkg install -y virtual_oss
+sysrc -v \
+ virtual_oss_enable=YES \
+ virtual_oss_dsp="-T /dev/sndstat -C 2 -c 2 -S -r ${samplerate} -b ${bits} -s ${buffer_ms}ms -O /dev/dsp${playback_device} -R /dev/dsp${recording_device} -d dsp -t vsdp.ctl"
+service virtual_oss restart
+
+set_loader_conf "hint.pcm.${recording_device}.mic=${microphone_gain}"
+set_loader_conf "hint.pcm.${playback_device}.pcm=100"
diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs
index 3a6d923..db0c1e0 100644
--- a/scripts/hostname/nfs1/10-homedirs
+++ b/scripts/hostname/nfs1/10-homedirs
@@ -1,8 +1,12 @@
#!/bin/sh
-default_priv_quota=250G
+default_priv_quota=50G
default_pub_quota=10G
+# Format: username:privquota:pubquota. For example:
+# nfs_homedirs='joe:250G:10G jane:250G'
+# nfs_groupdirs='sysadmins:250G doefamily:100G:10G'
+
# Create user home directories.
for userquota in ${nfs_homedirs:-}; do
user=$(echo "$userquota" | awk -F: '{print $1}')
diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares
index beb3b11..0dd6ddb 100644
--- a/scripts/hostname/nfs1/20-shares
+++ b/scripts/hostname/nfs1/20-shares
@@ -1,16 +1,22 @@
#!/bin/sh
-# media/music
-create_dataset -p "${nfs_dataset}/media/music"
-zfs set \
- compression=off \
- com.sun:auto-snapshot:daily=true \
- com.sun:auto-snapshot:weekly=true \
- "${nfs_dataset}/media/music"
-chgrp media-admin "${nfs_root}/media/music"
-chmod 2770 "${nfs_root}/media/music"
-set_facl "${nfs_root}/media/music" \
- group:media-admin:rwpDdaARWcs:fd:allow \
- group:media-admin:x:d:allow \
- group:media-access:raRcs:fd:allow \
- group:media-access:x:d:allow
+media_access_group='media-access'
+media_admin_group='media-admin'
+media_shares='music shows movies audiobooks roms books scores isos'
+
+# media shares
+for share in $media_shares; do
+ create_dataset -p "${nfs_dataset}/media/${share}"
+ zfs set \
+ compression=off \
+ com.sun:auto-snapshot:daily=true \
+ com.sun:auto-snapshot:weekly=true \
+ "${nfs_dataset}/media/${share}"
+ chgrp "$media_admin_group" "${nfs_root}/media/${share}"
+ chmod 2770 "${nfs_root}/media/${share}"
+ set_facl "${nfs_root}/media/${share}" \
+ "group:${media_admin_group}:rwpDdaARWcs:fd:allow" \
+ "group:${media_admin_group}:x:d:allow" \
+ "group:${media_access_group}:raRcs:fd:allow" \
+ "group:${media_access_group}:x:d:allow"
+done
diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs
index fe3a468..a7153d4 100644
--- a/scripts/hostname/nfs1/30-autofs
+++ b/scripts/hostname/nfs1/30-autofs
@@ -72,9 +72,11 @@ automountKey: /nfs/media
automountInformation: auto_media ${nfs_mount_opts}
EOF
-# auto_media: music
-ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF
+# auto_media: music, movies, etc
+for share in $media_shares; do
+ ldap_add "automountKey=${share},automountMapName=auto_media,${automount_basedn}" <<EOF
objectClass: automount
-automountKey: music
-automountInformation: ${fqdn}:/media/music
+automountKey: ${share}
+automountInformation: ${fqdn}:/media/${share}
EOF
+done
diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader
index 3209927..a5c8908 100644
--- a/scripts/os/freebsd/10-bootloader
+++ b/scripts/os/freebsd/10-bootloader
@@ -11,7 +11,7 @@ install_file -m 0644 /etc/ttys
kill -HUP 1
set_loader_conf \
- autoboot_delay=1 \
+ autoboot_delay=3 \
beastie_disable=YES \
cc_htcp_load=YES \
kern.geom.label.disk_ident.enable=0 \
diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm
index 1585c6f..1e5e877 100644
--- a/scripts/os/freebsd/50-idm
+++ b/scripts/os/freebsd/50-idm
@@ -18,12 +18,16 @@ pkg install -y \
p5-Authen-SASL \
pam_mkhomedir
+# Script to create /usr/local/home/${USER} on login.
+install_file -m 0555 /usr/local/libexec/pam-create-local-homedir
+
# Configure PAM/NSS integration.
+install_template -m 0644 \
+ /etc/pam.d/login \
+ /etc/pam.d/sshd
install_file -m 0644 \
/etc/nsswitch.conf \
/etc/pam.d/system \
- /etc/pam.d/login \
- /etc/pam.d/sshd \
/etc/pam.d/sudo \
/etc/pam.d/su \
/etc/pam.d/other
diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode
index f9e213e..0d2a910 100644
--- a/scripts/os/freebsd/80-microcode
+++ b/scripts/os/freebsd/80-microcode
@@ -7,8 +7,12 @@ if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then
return
fi
-pkg install -y cpu-microcode
+if [ "${enable_microcode_updates:-}" = false ]; then
+ set_loader_conf cpu_microcode_load=NO
+else
+ pkg install -y cpu-microcode
-set_loader_conf \
- cpu_microcode_load=YES \
- cpu_microcode_name="/boot/firmware/${microcode_name}"
+ set_loader_conf \
+ cpu_microcode_load=YES \
+ cpu_microcode_name="/boot/firmware/${microcode_name}"
+fi