diff options
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/hostclass/cups_server | 3 | ||||
-rw-r--r-- | scripts/hostclass/desktop | 30 | ||||
-rw-r--r-- | scripts/hostclass/idm_server/40-unbound | 8 | ||||
l--------- | scripts/hostclass/laptop/10-desktop | 1 | ||||
-rw-r--r-- | scripts/hostclass/laptop/20-laptop (renamed from scripts/hostclass/laptop) | 0 | ||||
l--------- | scripts/hostclass/roadwarrior_laptop/20-laptop | 2 | ||||
-rw-r--r-- | scripts/os/freebsd/10-bootloader | 4 | ||||
-rw-r--r-- | scripts/os/freebsd/10-cpu | 5 | ||||
-rw-r--r-- | scripts/os/freebsd/50-idm | 1 | ||||
-rw-r--r-- | scripts/os/freebsd/80-microcode | 14 |
10 files changed, 53 insertions, 15 deletions
diff --git a/scripts/hostclass/cups_server b/scripts/hostclass/cups_server index 6667829..d9b6e66 100644 --- a/scripts/hostclass/cups_server +++ b/scripts/hostclass/cups_server @@ -9,6 +9,9 @@ cups_tls_dir=${cups_conf_dir}/ssl cups_tls_cert="${cups_tls_dir}/${fqdn}.crt" cups_tls_key="${cups_tls_dir}/${fqdn}.key" +# Create dataset for persistent CUPS configuration. +create_dataset -o "mountpoint=${cups_conf_dir}" "${state_dataset}/cups" + # Install required packages. pkg install -y cups cups-filters diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index f9e7e94..148b596 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -4,10 +4,13 @@ : ${desktop_access_gid:='40000'} : ${sddm_min_uid:='10000'} : ${sddm_max_uid:='19999'} +: ${cups_host:='cups'} +: ${ublock_whitelist:=''} +: ${chrome_flags:=''} sddm_user=sddm - -# TODO: kill lingering processes after logout (chrome, baloo-search, etc). +cups_conf_dir=/usr/local/etc/cups +xdg_override_dir=/usr/local/share-override if [ "${enable_idm:-}" = false ]; then desktop_access_role=operator @@ -33,7 +36,9 @@ pkg install -y $desktop_common_packages install_file -m 0555 \ /usr/local/libexec/pam-create-local-homedir \ /etc/profile.d/local-homedir.sh -install_directory -m 0755 /usr/local/home + +# Create ZFS dataset for local homedirs. +create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" # Enable sndio. sysrc -v sndiod_enable=YES @@ -54,6 +59,10 @@ set_loader_conf cuse_load=YES sysrc -v webcamd_enable=YES service webcamd status || service webcamd start +# Create xdg autostart entry to add our Root CA to Chrome's certificate store. +install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop +install_file -m 0555 /usr/local/libexec/nss-trust-root-ca + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -121,12 +130,13 @@ install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf # Create xdg override directory. install_directory -m 0755 \ - /usr/local/override \ - /usr/local/override/applications + "${xdg_override_dir}" \ + "${xdg_override_dir}/applications" # Create xdg application overrides. -install_file -m 0644 \ - /usr/local/override/applications/signal-desktop.desktop +install_template -m 0644 \ + "${xdg_override_dir}/applications/signal-desktop.desktop" \ + "${xdg_override_dir}/applications/chromium-browser.desktop" # Create polkit rules for shutdown/reboot/suspend install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules @@ -135,10 +145,14 @@ install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules sysrc -v dbus_enable=YES service dbus status || service dbus start +# Configure CUPS. +pkg install -y cups +install_template -m 0644 "${cups_conf_dir}/client.conf" + # Configure graphics drivers. case $graphics_type in intel) - pkg install -y drm-kmod + pkg install -y drm-kmod libva-intel-media-driver sysrc -v kld_list+=i915kms load_kernel_module i915kms set_loader_conf \ diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound index 01c1c70..d38194f 100644 --- a/scripts/hostclass/idm_server/40-unbound +++ b/scripts/hostclass/idm_server/40-unbound @@ -4,8 +4,10 @@ unbound_user=unbound unbound_conf_dir=/usr/local/etc/unbound unbound_blocklist_dir="${unbound_conf_dir}/blocklists" unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls" +unbound_whitelist_file="${unbound_conf_dir}/whitelist" : ${unbound_blocklist_urls:=''} +: ${unbound_whitelist:=''} : ${unbound_cache_max_negative_ttl:='60'} : ${unbound_rrset_cache_size:='104857600'} # 100 MB : ${unbound_msg_cache_size:='52428800'} # 50 MB @@ -24,9 +26,10 @@ install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir" install_template -m 0644 "${unbound_conf_dir}/unbound.conf" # Download blocklists. +echo "$unbound_whitelist" | tee "$unbound_whitelist_file" echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file" install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists -su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}" +su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir}" # Enable and start unbound. sysrc -v unbound_enable=YES @@ -36,5 +39,4 @@ service unbound restart install_template -m 0644 /etc/resolv.conf # Update blocklists with a cron job. -echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \ - | tee /etc/cron.d/idm-update-unbound-blocklists +install_template -m 0644 /etc/cron.d/unbound diff --git a/scripts/hostclass/laptop/10-desktop b/scripts/hostclass/laptop/10-desktop new file mode 120000 index 0000000..2c7c348 --- /dev/null +++ b/scripts/hostclass/laptop/10-desktop @@ -0,0 +1 @@ +../desktop
\ No newline at end of file diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop/20-laptop index dba2c5f..dba2c5f 100644 --- a/scripts/hostclass/laptop +++ b/scripts/hostclass/laptop/20-laptop diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop index 874f665..981e450 120000 --- a/scripts/hostclass/roadwarrior_laptop/20-laptop +++ b/scripts/hostclass/roadwarrior_laptop/20-laptop @@ -1 +1 @@ -../laptop
\ No newline at end of file +../laptop/20-laptop
\ No newline at end of file diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader index 438acc0..3209927 100644 --- a/scripts/os/freebsd/10-bootloader +++ b/scripts/os/freebsd/10-bootloader @@ -24,9 +24,7 @@ set_loader_conf \ pflog_load=YES \ security.bsd.allow_destructive_dtrace=0 -if [ "${serial_console:-}" = true ]; then - # Don't enable the serial console for all hosts indiscriminately. - # Somehow, having the serial console enabled breaks ConsoleKit. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = none ] && [ "$enable_serial_console" = true ]; then set_loader_conf \ boot_multicons=YES \ boot_serial=YES \ diff --git a/scripts/os/freebsd/10-cpu b/scripts/os/freebsd/10-cpu index ea2afcf..67aeb68 100644 --- a/scripts/os/freebsd/10-cpu +++ b/scripts/os/freebsd/10-cpu @@ -28,3 +28,8 @@ if sysctl -n dev.hwpstate_intel.0.epp >/dev/null 2>&1; then set_sysctl "dev.hwpstate_intel.${n}.epp=${intel_epp}" done fi + +# Enable CPU-related kernel modules. +set_loader_conf \ + cpuctl_load=YES \ + coretemp_load=YES diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index 0a9e882..ab7c2fd 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -20,6 +20,7 @@ pkg install -y \ # Configure PAM/NSS integration. install_file -m 0644 \ /etc/nsswitch.conf \ + /etc/pam.d/login \ /etc/pam.d/sshd \ /etc/pam.d/sudo diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode new file mode 100644 index 0000000..f9e213e --- /dev/null +++ b/scripts/os/freebsd/80-microcode @@ -0,0 +1,14 @@ +#!/bin/sh + +: ${microcode_name:='intel-ucode.bin'} + +# Only run this file on baremetal hosts. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then + return +fi + +pkg install -y cpu-microcode + +set_loader_conf \ + cpu_microcode_load=YES \ + cpu_microcode_name="/boot/firmware/${microcode_name}" |