From 5ef2aed3f3961b72699d9881ed09560f4d01371a Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Fri, 18 Oct 2024 16:44:57 -0400 Subject: Tons of desktop fixes --- files/etc/cron.d/unbound.idm_server | 2 + files/etc/exports.common | 2 - files/etc/exports.nfs_server | 2 + files/etc/login.conf.desktop | 2 +- files/etc/pam.d/cups.cups_server | 12 +- files/etc/pam.d/kde.freebsd | 7 +- files/etc/pam.d/login.freebsd | 16 ++ files/etc/pam.d/sddm.freebsd | 23 +-- files/etc/pam.d/sshd.freebsd | 20 +-- files/etc/pam.d/sudo.freebsd | 8 +- files/etc/profile.d/kde.sh.common | 6 - files/etc/profile.d/kde.sh.desktop | 6 + files/etc/profile.d/kde.sh.laptop | 1 + files/etc/profile.d/kde.sh.roadwarrior_laptop | 1 + .../local/etc/X11/xorg.conf.d/terminus.conf.common | 3 - .../etc/X11/xorg.conf.d/terminus.conf.desktop | 3 + .../local/etc/X11/xorg.conf.d/terminus.conf.laptop | 1 + .../xorg.conf.d/terminus.conf.roadwarrior_laptop | 1 + .../chromium/policies/managed/policies.json.common | 96 ------------ .../policies/managed/policies.json.desktop | 99 +++++++++++++ .../chromium/policies/managed/policies.json.laptop | 1 + .../managed/policies.json.roadwarrior_laptop | 1 + files/usr/local/etc/cups/client.conf.desktop | 3 + files/usr/local/etc/cups/client.conf.laptop | 1 + .../local/etc/cups/client.conf.roadwarrior_laptop | 1 + files/usr/local/etc/cups/cupsd.conf.cups_server | 4 - .../local/etc/poudriere.d/make.conf.pkg_repository | 4 + .../local/etc/poudriere.d/pkglist.pkg_repository | 11 +- files/usr/local/etc/sddm.conf.common | 9 -- files/usr/local/etc/sddm.conf.desktop | 9 ++ files/usr/local/etc/sddm.conf.laptop | 1 + files/usr/local/etc/sddm.conf.roadwarrior_laptop | 1 + .../autostart/nss-trust-root-ca.desktop.desktop | 6 + .../xdg/autostart/nss-trust-root-ca.desktop.laptop | 1 + .../nss-trust-root-ca.desktop.roadwarrior_laptop | 1 + .../plasma-workspace/shutdown/cleanup.sh.common | 4 - .../plasma-workspace/shutdown/cleanup.sh.desktop | 7 + .../plasma-workspace/shutdown/cleanup.sh.laptop | 1 + .../shutdown/cleanup.sh.roadwarrior_laptop | 1 + .../lib/firefox/distribution/policies.json.common | 159 -------------------- .../lib/firefox/distribution/policies.json.desktop | 162 +++++++++++++++++++++ .../lib/firefox/distribution/policies.json.laptop | 1 + .../distribution/policies.json.roadwarrior_laptop | 1 + .../local/lib/libreoffice/program/sofficerc.common | 18 --- .../lib/libreoffice/program/sofficerc.desktop | 18 +++ .../local/lib/libreoffice/program/sofficerc.laptop | 1 + .../program/sofficerc.roadwarrior_laptop | 1 + .../idm-update-unbound-blocklists.idm_server | 41 ++++-- files/usr/local/libexec/nss-trust-root-ca.common | 16 ++ .../local/libexec/pam-create-local-homedir.common | 9 +- .../applications/signal-desktop.desktop.common | 12 -- .../applications/chromium-browser.desktop.desktop | 11 ++ .../applications/chromium-browser.desktop.laptop | 1 + .../chromium-browser.desktop.roadwarrior_laptop | 1 + .../applications/signal-desktop.desktop.desktop | 12 ++ .../applications/signal-desktop.desktop.laptop | 1 + .../signal-desktop.desktop.roadwarrior_laptop | 1 + lib/40-os | 10 +- scripts/hostclass/cups_server | 3 + scripts/hostclass/desktop | 30 +++- scripts/hostclass/idm_server/40-unbound | 8 +- scripts/hostclass/laptop | 65 --------- scripts/hostclass/laptop/10-desktop | 1 + scripts/hostclass/laptop/20-laptop | 65 +++++++++ scripts/hostclass/roadwarrior_laptop/20-laptop | 2 +- scripts/os/freebsd/10-bootloader | 4 +- scripts/os/freebsd/10-cpu | 5 + scripts/os/freebsd/50-idm | 1 + scripts/os/freebsd/80-microcode | 14 ++ site/scripts/hostname/rlaptop1 | 9 -- vars/common | 2 +- vars/hostclass/desktop | 24 ++- vars/hostname/alcatraz1 | 3 - 73 files changed, 622 insertions(+), 468 deletions(-) create mode 100644 files/etc/cron.d/unbound.idm_server delete mode 100644 files/etc/exports.common create mode 100644 files/etc/exports.nfs_server create mode 100644 files/etc/pam.d/login.freebsd delete mode 100644 files/etc/profile.d/kde.sh.common create mode 100644 files/etc/profile.d/kde.sh.desktop create mode 120000 files/etc/profile.d/kde.sh.laptop create mode 120000 files/etc/profile.d/kde.sh.roadwarrior_laptop delete mode 100644 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common create mode 100644 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop create mode 120000 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop create mode 120000 files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop delete mode 100644 files/usr/local/etc/chromium/policies/managed/policies.json.common create mode 100644 files/usr/local/etc/chromium/policies/managed/policies.json.desktop create mode 120000 files/usr/local/etc/chromium/policies/managed/policies.json.laptop create mode 120000 files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop create mode 100644 files/usr/local/etc/cups/client.conf.desktop create mode 120000 files/usr/local/etc/cups/client.conf.laptop create mode 120000 files/usr/local/etc/cups/client.conf.roadwarrior_laptop delete mode 100644 files/usr/local/etc/sddm.conf.common create mode 100644 files/usr/local/etc/sddm.conf.desktop create mode 120000 files/usr/local/etc/sddm.conf.laptop create mode 120000 files/usr/local/etc/sddm.conf.roadwarrior_laptop create mode 100644 files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop create mode 120000 files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop create mode 120000 files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop delete mode 100644 files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common create mode 100644 files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop create mode 120000 files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop create mode 120000 files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop delete mode 100644 files/usr/local/lib/firefox/distribution/policies.json.common create mode 100644 files/usr/local/lib/firefox/distribution/policies.json.desktop create mode 120000 files/usr/local/lib/firefox/distribution/policies.json.laptop create mode 120000 files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop delete mode 100644 files/usr/local/lib/libreoffice/program/sofficerc.common create mode 100644 files/usr/local/lib/libreoffice/program/sofficerc.desktop create mode 120000 files/usr/local/lib/libreoffice/program/sofficerc.laptop create mode 120000 files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop create mode 100644 files/usr/local/libexec/nss-trust-root-ca.common delete mode 100644 files/usr/local/override/applications/signal-desktop.desktop.common create mode 100644 files/usr/local/share-override/applications/chromium-browser.desktop.desktop create mode 120000 files/usr/local/share-override/applications/chromium-browser.desktop.laptop create mode 120000 files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop create mode 100644 files/usr/local/share-override/applications/signal-desktop.desktop.desktop create mode 120000 files/usr/local/share-override/applications/signal-desktop.desktop.laptop create mode 120000 files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop delete mode 100644 scripts/hostclass/laptop create mode 120000 scripts/hostclass/laptop/10-desktop create mode 100644 scripts/hostclass/laptop/20-laptop create mode 100644 scripts/os/freebsd/80-microcode delete mode 100644 site/scripts/hostname/rlaptop1 delete mode 100644 vars/hostname/alcatraz1 diff --git a/files/etc/cron.d/unbound.idm_server b/files/etc/cron.d/unbound.idm_server new file mode 100644 index 0000000..56d8809 --- /dev/null +++ b/files/etc/cron.d/unbound.idm_server @@ -0,0 +1,2 @@ +MAILTO=root +@daily ${unbound_user} /usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir} diff --git a/files/etc/exports.common b/files/etc/exports.common deleted file mode 100644 index 4ea7fd2..0000000 --- a/files/etc/exports.common +++ /dev/null @@ -1,2 +0,0 @@ -V4: ${nfs_root} -# The default is to not export anything. diff --git a/files/etc/exports.nfs_server b/files/etc/exports.nfs_server new file mode 100644 index 0000000..4ea7fd2 --- /dev/null +++ b/files/etc/exports.nfs_server @@ -0,0 +1,2 @@ +V4: ${nfs_root} +# The default is to not export anything. diff --git a/files/etc/login.conf.desktop b/files/etc/login.conf.desktop index 558c80a..919a887 100644 --- a/files/etc/login.conf.desktop +++ b/files/etc/login.conf.desktop @@ -2,7 +2,7 @@ default:\\ :passwd_format=sha512:\\ :copyright=/etc/COPYRIGHT:\\ :welcome=/var/run/motd:\\ - :setenv=BLOCKSIZE=K,XDG_DATA_DIRS=/usr/local/override\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\ + :setenv=BLOCKSIZE=K,XDG_DATA_DIRS=${xdg_override_dir}\\c/usr/local/share,XDG_DATA_HOME=/usr/local/home/\$/.local/share,XDG_STATE_HOME=/usr/local/home/\$/.local/state,XDG_CACHE_HOME=/usr/local/home/\$/.cache,XDG_CONFIG_HOME=/usr/local/home/\$/.config,KDEHOME=/usr/local/home/\$/.kde:\\ :mail=/var/mail/\$:\\ :path=/sbin /bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin ~/bin:\\ :nologin=/var/run/nologin:\\ diff --git a/files/etc/pam.d/cups.cups_server b/files/etc/pam.d/cups.cups_server index b61c074..03c2763 100644 --- a/files/etc/pam.d/cups.cups_server +++ b/files/etc/pam.d/cups.cups_server @@ -1,8 +1,6 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd index 2604c78..8f87b98 100644 --- a/files/etc/pam.d/kde.freebsd +++ b/files/etc/pam.d/kde.freebsd @@ -1,2 +1,5 @@ -auth required /usr/local/lib/security/pam_krb5.so try_first_pass -account required /usr/local/lib/security/pam_krb5.so +auth required /usr/local/lib/security/pam_krb5.so try_first_pass + +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd new file mode 100644 index 0000000..164fcb0 --- /dev/null +++ b/files/etc/pam.d/login.freebsd @@ -0,0 +1,16 @@ +auth sufficient pam_self.so no_warn +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass nullok + +account requisite pam_securetty.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +session required pam_lastlog.so no_fail +session required pam_xdg.so +session required /usr/local/lib/security/pam_krb5.so + +password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd index ef359ff..6a75823 100644 --- a/files/etc/pam.d/sddm.freebsd +++ b/files/etc/pam.d/sddm.freebsd @@ -2,15 +2,20 @@ # try multiple authentication sources (like krb5 but fall back to pam_unix) # if we want pam_kwallet5 to execute. # Hence, for sddm, we try krb5 only (no local accounts). -auth required /usr/local/lib/security/pam_krb5.so try_first_pass -auth optional pam_exec.so /usr/local/libexec/pam-create-local-homedir -auth optional pam_kwallet5.so +auth sufficient pam_self.so no_warn +auth required /usr/local/lib/security/pam_krb5.so try_first_pass +auth optional pam_exec.so /usr/local/libexec/pam-create-local-homedir +auth optional pam_kwallet5.so -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account requisite pam_securetty.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so -session required pam_lastlog.so no_fail -session optional pam_kwallet5.so auto_start +session required pam_lastlog.so no_fail +session required pam_xdg.so no_fail +session required /usr/local/lib/security/pam_krb5.so +session optional pam_kwallet5.so auto_start -password required /usr/local/lib/security/pam_krb5.so try_first_pass +password required /usr/local/lib/security/pam_krb5.so try_first_pass diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd index 57b281b..559a980 100644 --- a/files/etc/pam.d/sshd.freebsd +++ b/files/etc/pam.d/sshd.freebsd @@ -1,17 +1,13 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account -account required pam_nologin.so -account required /usr/local/lib/security/pam_krb5.so -account required pam_login_access.so -account required pam_unix.so +account required pam_nologin.so +account required /usr/local/lib/security/pam_krb5.so +account required pam_login_access.so +account required pam_unix.so -# session -session required /usr/local/lib/security/pam_krb5.so -session required pam_permit.so +session required /usr/local/lib/security/pam_krb5.so +session required pam_permit.so -# password password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd index 425bf4e..6a6b0a4 100644 --- a/files/etc/pam.d/sudo.freebsd +++ b/files/etc/pam.d/sudo.freebsd @@ -1,15 +1,11 @@ -# auth -auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass -auth required pam_unix.so no_warn try_first_pass +auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass +auth required pam_unix.so no_warn try_first_pass -# account account required /usr/local/lib/security/pam_krb5.so account required pam_login_access.so account required pam_unix.so -# session account required pam_permit.so -# password password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/files/etc/profile.d/kde.sh.common b/files/etc/profile.d/kde.sh.common deleted file mode 100644 index 010d5c1..0000000 --- a/files/etc/profile.d/kde.sh.common +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -if [ "$XDG_CURRENT_DESKTOP" = KDE ]; then - export SSH_ASKPASS_REQUIRE=prefer - export SSH_ASKPASS=/usr/local/bin/ksshaskpass -fi diff --git a/files/etc/profile.d/kde.sh.desktop b/files/etc/profile.d/kde.sh.desktop new file mode 100644 index 0000000..010d5c1 --- /dev/null +++ b/files/etc/profile.d/kde.sh.desktop @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ "$XDG_CURRENT_DESKTOP" = KDE ]; then + export SSH_ASKPASS_REQUIRE=prefer + export SSH_ASKPASS=/usr/local/bin/ksshaskpass +fi diff --git a/files/etc/profile.d/kde.sh.laptop b/files/etc/profile.d/kde.sh.laptop new file mode 120000 index 0000000..a248985 --- /dev/null +++ b/files/etc/profile.d/kde.sh.laptop @@ -0,0 +1 @@ +kde.sh.desktop \ No newline at end of file diff --git a/files/etc/profile.d/kde.sh.roadwarrior_laptop b/files/etc/profile.d/kde.sh.roadwarrior_laptop new file mode 120000 index 0000000..a248985 --- /dev/null +++ b/files/etc/profile.d/kde.sh.roadwarrior_laptop @@ -0,0 +1 @@ +kde.sh.desktop \ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common deleted file mode 100644 index d0bb2ae..0000000 --- a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.common +++ /dev/null @@ -1,3 +0,0 @@ -Section "Files" - FontPath "/usr/local/share/fonts/terminus-font/" -EndSection diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop new file mode 100644 index 0000000..d0bb2ae --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.desktop @@ -0,0 +1,3 @@ +Section "Files" + FontPath "/usr/local/share/fonts/terminus-font/" +EndSection diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop new file mode 120000 index 0000000..6c13c1d --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.laptop @@ -0,0 +1 @@ +terminus.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop new file mode 120000 index 0000000..6c13c1d --- /dev/null +++ b/files/usr/local/etc/X11/xorg.conf.d/terminus.conf.roadwarrior_laptop @@ -0,0 +1 @@ +terminus.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.common b/files/usr/local/etc/chromium/policies/managed/policies.json.common deleted file mode 100644 index 0e57885..0000000 --- a/files/usr/local/etc/chromium/policies/managed/policies.json.common +++ /dev/null @@ -1,96 +0,0 @@ -{ - "AdvancedProtectionAllowed": false, - "AlternateErrorPagesEnabled": false, - "AutofillCreditCardEnabled": false, - "AuthNegotiateDelegateAllowlist": "*.${domain}", - "AuthServerAllowlist": "*.${domain}", - "BackgroundModeEnabled": false, - "BlockThirdPartyCookies": true, - "BrowserGuestModeEnabled": false, - "BrowserLabsEnabled": false, - "BrowserNetworkTimeQueriesEnabled": false, - "BrowserSignin": 0, - "CloudPrintProxyEnabled": false, - "CloudReportingEnabled": false, - "DefaultBrowserSettingEnabled": false, - "DefaultCookiesSetting": 1, - "DefaultSearchProviderEnabled": true, - "DefaultSearchProviderName": "DuckDuckGo", - "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", - "DefaultSearchProviderEncodings": [ - "UTF-8" - ], - "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", - "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", - "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", - "DnsOverHttpsMode": "off", - "EnableAuthNegotiatePort": true, - "EnableMediaRouter": false, - "MetricsReportingEnabled": false, - "NetworkPredictionOptions": 2, - "PasswordManagerEnabled": false, - "PaymentMethodQueryEnabled": false, - "PrivacySandboxAdMeasurementEnabled": false, - "PrivacySandboxAdTopicsEnabled": false, - "PrivacySandboxPromptEnabled": false, - "PrivacySandboxSiteEnabledAdsEnabled": false, - "PromotionalTabsEnabled": false, - "SafeBrowsingProtectionLevel": 0, - "SearchSuggestEnabled": false, - "SyncDisabled": true, - "TranslateEnabled": false, - "UrlKeyedAnonymizedDataCollectionEnabled": false, - "ManagedBookmarks": [ - { - "toplevel_name": "Internal" - }, - { - "name": "Poudriere", - "url": "http://pkg.${domain}/poudriere" - } - ], - "ExtensionSettings": { - "cjpalhdlnbpafiamejdnhcphjbkeiagm": { - "installation_mode": "force_installed", - "update_url": "https://clients2.google.com/service/update2/crx" - }, - "nngceckbapebfimnlniiiahkandclblb": { - "installation_mode": "normal_installed", - "update_url": "https://clients2.google.com/service/update2/crx" - }, - "cimiefiiaegbelhefglklhhakcgmhkai": { - "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)", - "update_url": "https://clients2.google.com/service/update2/crx" - } - }, - "3rdparty": { - "extensions": { - "cjpalhdlnbpafiamejdnhcphjbkeiagm": { - "toOverwrite": { - "filterLists": [ - "user-filters", - "ublock-filters", - "ublock-badware", - "ublock-privacy", - "ublock-abuse", - "ublock-unbreak", - "ublock-annoyances", - "easylist", - "easyprivacy", - "urlhaus-1", - "plowe-0", - "fanboy-annoyance", - "fanboy-thirdparty_social", - "adguard-spyware-url", - "ublock-quick-fixes" - ] - }, - "toAdd": { - "trustedSiteDirectives": [ - "${domain}" - ] - } - } - } - } -} diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.desktop b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop new file mode 100644 index 0000000..93544cf --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.desktop @@ -0,0 +1,99 @@ +{ + "AdvancedProtectionAllowed": false, + "AlternateErrorPagesEnabled": false, + "AutofillCreditCardEnabled": false, + "AuthNegotiateDelegateAllowlist": "*.${domain}", + "AuthServerAllowlist": "*.${domain}", + "BackgroundModeEnabled": false, + "BlockThirdPartyCookies": true, + "BrowserGuestModeEnabled": false, + "BrowserLabsEnabled": false, + "BrowserNetworkTimeQueriesEnabled": false, + "BrowserSignin": 0, + "CloudPrintProxyEnabled": false, + "CloudReportingEnabled": false, + "DefaultBrowserSettingEnabled": false, + "DefaultCookiesSetting": 1, + "DefaultSearchProviderEnabled": true, + "DefaultSearchProviderName": "DuckDuckGo", + "DefaultSearchProviderIconURL": "https://duckduckgo.com/favicon.ico", + "DefaultSearchProviderEncodings": [ + "UTF-8" + ], + "DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q={searchTerms}", + "DefaultSearchProviderSuggestURL":"https://duckduckgo.com/ac/?q={searchTerms}&type=list", + "DefaultSearchProviderNewTabURL":"https://duckduckgo.com/chrome_newtab", + "DnsOverHttpsMode": "off", + "EnableAuthNegotiatePort": true, + "EnableMediaRouter": false, + "MetricsReportingEnabled": false, + "NetworkPredictionOptions": 2, + "PasswordManagerEnabled": false, + "PaymentMethodQueryEnabled": false, + "PrivacySandboxAdMeasurementEnabled": false, + "PrivacySandboxAdTopicsEnabled": false, + "PrivacySandboxPromptEnabled": false, + "PrivacySandboxSiteEnabledAdsEnabled": false, + "PromotionalTabsEnabled": false, + "SafeBrowsingProtectionLevel": 0, + "SearchSuggestEnabled": false, + "SyncDisabled": true, + "TranslateEnabled": false, + "UrlKeyedAnonymizedDataCollectionEnabled": false, + "ManagedBookmarks": [ + { + "toplevel_name": "Internal" + }, + { + "name": "Poudriere", + "url": "http://pkg.${domain}/poudriere" + } + ], + "ExtensionSettings": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "installation_mode": "force_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "nngceckbapebfimnlniiiahkandclblb": { + "installation_mode": "normal_installed", + "update_url": "https://clients2.google.com/service/update2/crx" + }, + "cimiefiiaegbelhefglklhhakcgmhkai": { + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)", + "update_url": "https://clients2.google.com/service/update2/crx" + } + }, + "3rdparty": { + "extensions": { + "cjpalhdlnbpafiamejdnhcphjbkeiagm": { + "toOverwrite": { + "selectedFilterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "ublock-cookies-easylist", + "fanboy-cookiemonster", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-social", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "$(join '","' "$domain" $ublock_whitelist)" + ] + } + } + } + } +} diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.laptop b/files/usr/local/etc/chromium/policies/managed/policies.json.laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.laptop @@ -0,0 +1 @@ +policies.json.desktop \ No newline at end of file diff --git a/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop b/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/etc/chromium/policies/managed/policies.json.roadwarrior_laptop @@ -0,0 +1 @@ +policies.json.desktop \ No newline at end of file diff --git a/files/usr/local/etc/cups/client.conf.desktop b/files/usr/local/etc/cups/client.conf.desktop new file mode 100644 index 0000000..833b533 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.desktop @@ -0,0 +1,3 @@ +ServerName ${cups_host}.${domain}:631 +Encryption Required +ValidateCerts Yes diff --git a/files/usr/local/etc/cups/client.conf.laptop b/files/usr/local/etc/cups/client.conf.laptop new file mode 120000 index 0000000..9644ac0 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.laptop @@ -0,0 +1 @@ +client.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/cups/client.conf.roadwarrior_laptop b/files/usr/local/etc/cups/client.conf.roadwarrior_laptop new file mode 120000 index 0000000..9644ac0 --- /dev/null +++ b/files/usr/local/etc/cups/client.conf.roadwarrior_laptop @@ -0,0 +1 @@ +client.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/cups/cupsd.conf.cups_server b/files/usr/local/etc/cups/cupsd.conf.cups_server index 25e2107..e5d90c2 100644 --- a/files/usr/local/etc/cups/cupsd.conf.cups_server +++ b/files/usr/local/etc/cups/cupsd.conf.cups_server @@ -11,7 +11,6 @@ MaxLogSize 1m # Default error policy for printers ErrorPolicy retry-job -# Only listen for connections from the local machine. Listen 80 Listen 631 Listen /var/run/cups/cups.sock @@ -29,9 +28,6 @@ DefaultEncryption Required # Web interface setting... WebInterface Yes -# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) -IdleExitTimeout 60 - # Restrict access to the server... Order allow,deny diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index bc8f89c..3e612a0 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -14,6 +14,8 @@ databases_luadbi_SET=PGSQL databases_postgresql${postgresql_version}-client_SET=PAM LDAP databases_postgresql${postgresql_version}-server_SET=PAM LDAP devel_apr1_SET=LDAP +devel_electron30_SET=PULSEAUDIO +devel_electron30_UNSET=SNDIO devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC devel_librelp_UNSET=GNUTLS @@ -40,9 +42,11 @@ mail_mutt_UNSET=HTML mail_postfix_SET=LDAP SASL SASLKRB5 mail_rspamd_SET=HYPERSCAN misc_kdeutils_UNSET=KFLOPPY KTEATIME +multimedia_audacious_plugins_SET=LAME multimedia_ffmpeg_SET=OPENSSL multimedia_ffmpeg_UNSET=GNUTLS multimedia_kdemultimedia_UNSET=KDENLIVE +multimedia_pipewire_UNSET=JACK multimedia_qt6-multimedia_SET=ALSA multimedia_vlc_SET=FLAC MPEG2 X264 X265 VPX DCA FAAD AOM multimedia_webcamd_UNSET=DVB INPUT RADIO diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 2740c85..866c358 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -3,6 +3,7 @@ archivers/php${php_version}-phar archivers/php${php_version}-zip archivers/unzip archivers/zip +audio/elisa audio/juk audio/kid3 audio/kmix @@ -19,6 +20,7 @@ databases/postgresql${postgresql_version}-server databases/redis devel/ccache devel/cgit +devel/electron30 devel/git@lite devel/gitolite devel/php${php_version}-gettext @@ -58,9 +60,13 @@ mail/postfix mail/rspamd mail/sieve-connect misc/php${php_version}-calendar -multimedia/audacious +multimedia/audacious-plugins@qt5 +multimedia/audacious@qt5 multimedia/libva-intel-media-driver +multimedia/libva-utils +multimedia/libvdpau-va-gl multimedia/makemkv +multimedia/vdpauinfo multimedia/v4l-utils multimedia/v4l_compat multimedia/webcamd @@ -96,9 +102,11 @@ security/openssh-portable security/pam_krb5@mit security/pam_mkhomedir security/php${php_version}-filter +security/py-omemo-dr security/sshpass security/sudo security/vaultwarden +sysutils/cpu-microcode sysutils/htop sysutils/k3b sysutils/lsof @@ -138,6 +146,7 @@ x11-fonts/terminus-font x11-fonts/terminus-ttf x11-fonts/ubuntu-font x11-fonts/webfonts +x11-toolkits/gtksourceview4 x11/kde5 x11/sddm x11/xev diff --git a/files/usr/local/etc/sddm.conf.common b/files/usr/local/etc/sddm.conf.common deleted file mode 100644 index 09c2000..0000000 --- a/files/usr/local/etc/sddm.conf.common +++ /dev/null @@ -1,9 +0,0 @@ -[General] -DisplayServer = x11 - -[Wayland] -SessionDir = /dev/null - -[Users] -MinimumUid = ${sddm_min_uid} -MaximumUid = ${sddm_max_uid} diff --git a/files/usr/local/etc/sddm.conf.desktop b/files/usr/local/etc/sddm.conf.desktop new file mode 100644 index 0000000..09c2000 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.desktop @@ -0,0 +1,9 @@ +[General] +DisplayServer = x11 + +[Wayland] +SessionDir = /dev/null + +[Users] +MinimumUid = ${sddm_min_uid} +MaximumUid = ${sddm_max_uid} diff --git a/files/usr/local/etc/sddm.conf.laptop b/files/usr/local/etc/sddm.conf.laptop new file mode 120000 index 0000000..a2aa201 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.laptop @@ -0,0 +1 @@ +sddm.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/sddm.conf.roadwarrior_laptop b/files/usr/local/etc/sddm.conf.roadwarrior_laptop new file mode 120000 index 0000000..a2aa201 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.roadwarrior_laptop @@ -0,0 +1 @@ +sddm.conf.desktop \ No newline at end of file diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop new file mode 100644 index 0000000..43d85fb --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.desktop @@ -0,0 +1,6 @@ +[Desktop Entry] +Type=Application +Name=Add site root CA to user NSS database. +Exec=/usr/local/libexec/nss-trust-root-ca +StartupNotify=false +NoDisplay=true diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop new file mode 120000 index 0000000..8a3cf1a --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.laptop @@ -0,0 +1 @@ +nss-trust-root-ca.desktop.desktop \ No newline at end of file diff --git a/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop new file mode 120000 index 0000000..8a3cf1a --- /dev/null +++ b/files/usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +nss-trust-root-ca.desktop.desktop \ No newline at end of file diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common deleted file mode 100644 index 1808561..0000000 --- a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.common +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -pkill signal-desktop chrome baloo_file -pkill -f /usr/local/libexec/geoclue-2.0/demos/agent diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop new file mode 100644 index 0000000..3d1e79e --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.desktop @@ -0,0 +1,7 @@ +#!/bin/sh + +# Various processes seem to hang around after logging out of KDE sessions. +# Clean them up here. + +pkill signal-desktop chrome baloo_file dirmngr +pkill -f /usr/local/libexec/geoclue-2.0/demos/agent diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop new file mode 120000 index 0000000..e2cb280 --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.laptop @@ -0,0 +1 @@ +cleanup.sh.desktop \ No newline at end of file diff --git a/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop new file mode 120000 index 0000000..e2cb280 --- /dev/null +++ b/files/usr/local/etc/xdg/plasma-workspace/shutdown/cleanup.sh.roadwarrior_laptop @@ -0,0 +1 @@ +cleanup.sh.desktop \ No newline at end of file diff --git a/files/usr/local/lib/firefox/distribution/policies.json.common b/files/usr/local/lib/firefox/distribution/policies.json.common deleted file mode 100644 index 425a6d6..0000000 --- a/files/usr/local/lib/firefox/distribution/policies.json.common +++ /dev/null @@ -1,159 +0,0 @@ -{ - "policies": { - "ExtensionSettings": { - "uBlock0@raymondhill.net": { - "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi", - "installation_mode": "force_installed" - }, - "{446900e4-71c2-419f-a6a7-df9c091e268b}": { - "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi", - "installation_mode": "normal_installed" - }, - "{9cbd40c5-5275-443e-811b-dc57d8c7c5d2}": { - "install_url": "https://addons.mozilla.org/firefox/downloads/latest/kde-default-breeze/latest.xpi", - "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo 'normal_installed'; else echo 'allowed'; fi)" - }, - "plasma-browser-integration@kde.org": { - "install_url": "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi", - "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)" - } - }, - "3rdparty": { - "Extensions": { - "uBlock0@raymondhill.net": { - "toOverwrite": { - "filterLists": [ - "user-filters", - "ublock-filters", - "ublock-badware", - "ublock-privacy", - "ublock-abuse", - "ublock-unbreak", - "ublock-annoyances", - "easylist", - "easyprivacy", - "urlhaus-1", - "plowe-0", - "fanboy-annoyance", - "fanboy-thirdparty_social", - "adguard-spyware-url", - "ublock-quick-fixes" - ] - }, - "toAdd": { - "trustedSiteDirectives": [ - "${domain}" - ] - } - } - } - }, - "UserMessaging": { - "WhatsNew": false, - "ExtensionRecommendations": false, - "UrlbarInterventions": false, - "SkipOnboarding": true - }, - "OverridePostUpdatePage": "", - "OverrideFirstRunPage": "", - "EnableTrackingProtection": { - "Value": false, - "Cryptomining": false, - "Fingerprinting": false, - "Locked": false - }, - "Cookies": { - "Behavior": "reject-tracker-and-partition-foreign", - "BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign" - }, - "Authentication": { - "SPNEGO": ["${domain}"], - "AllowNonFQDN": { - "SPNEGO": true - }, - "AllowProxies": { - "SPNEGO": true - } - }, - "NoDefaultBookmarks": true, - "DisablePocket": true, - "DisableAppUpdate": true, - "CaptivePortal": false, - "Certificates": { - "Install": [ - "${site_cacert_path}" - ] - }, - "DisableFeedbackCommands": true, - "DisableFirefoxAccounts": true, - "DisableFirefoxStudies": true, - "DisableTelemetry": true, - "DontCheckDefaultBrowser": true, - "OfferToSaveLoginsDefault": false, - "DNSOverHTTPS": { - "Enabled": false - }, - "SearchSuggestEnabled": false, - "Homepage": { - "URL": "about:home", - "StartPage": "homepage" - }, - "FirefoxHome": { - "Search": true, - "TopSites": false, - "SponsoredTopSites": false, - "Highlights": false, - "Pocket": false, - "SponsoredPocket": false, - "Snippets": false - }, - "ManagedBookmarks": [ - { - "toplevel_name": "Intranet" - }, - { - "url": "http://pkg.${domain}/poudriere/", - "name": "Poudriere" - } - ], - "ExtensionUpdate": true, - "Preferences": { - "dom.security.https_only_mode": { - "Value": true, - "Status": "locked" - }, - "dom.push.connection.enabled": { - "Value": false, - "Status": "default" - }, - "privacy.trackingprotection.socialtracking.enabled": { - "Value": false, - "Status": "locked" - }, - "browser.urlbar.suggest.quicksuggest.nonsponsored": { - "Value": false, - "Status": "locked" - }, - "browser.urlbar.suggest.quicksuggest.sponsored": { - "Value": false, - "Status": "locked" - }, - "browser.toolbars.bookmarks.visibility": { - "Value": "newtab", - "Status": "default" - }, - "browser.safebrowsing.malware.enabled": { - "Value": false, - "Status": "locked" - }, - "browser.safebrowsing.phishing.enabled": { - "Value": false, - "Status": "locked" - }, - "browser.safebrowsing.downloads.enabled": { - "Value": false, - "Status": "locked" - } - } - } -} diff --git a/files/usr/local/lib/firefox/distribution/policies.json.desktop b/files/usr/local/lib/firefox/distribution/policies.json.desktop new file mode 100644 index 0000000..de93355 --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.desktop @@ -0,0 +1,162 @@ +{ + "policies": { + "ExtensionSettings": { + "uBlock0@raymondhill.net": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi", + "installation_mode": "force_installed" + }, + "{446900e4-71c2-419f-a6a7-df9c091e268b}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi", + "installation_mode": "normal_installed" + }, + "{9cbd40c5-5275-443e-811b-dc57d8c7c5d2}": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/kde-default-breeze/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo 'normal_installed'; else echo 'allowed'; fi)" + }, + "plasma-browser-integration@kde.org": { + "install_url": "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi", + "installation_mode": "$(if [ "${desktop_type:-}" = kde ]; then echo normal_installed; else echo allowed; fi)" + } + }, + "3rdparty": { + "Extensions": { + "uBlock0@raymondhill.net": { + "toOverwrite": { + "selectedFilterLists": [ + "user-filters", + "ublock-filters", + "ublock-badware", + "ublock-privacy", + "ublock-abuse", + "ublock-unbreak", + "ublock-annoyances", + "ublock-cookies-easylist", + "fanboy-cookiemonster", + "easylist", + "easyprivacy", + "urlhaus-1", + "plowe-0", + "fanboy-annoyance", + "fanboy-social", + "fanboy-thirdparty_social", + "adguard-spyware-url", + "ublock-quick-fixes" + ] + }, + "toAdd": { + "trustedSiteDirectives": [ + "$(join '","' "$domain" $ublock_whitelist)" + ] + } + } + } + }, + "UserMessaging": { + "WhatsNew": false, + "ExtensionRecommendations": false, + "UrlbarInterventions": false, + "SkipOnboarding": true + }, + "OverridePostUpdatePage": "", + "OverrideFirstRunPage": "", + "EnableTrackingProtection": { + "Value": false, + "Cryptomining": false, + "Fingerprinting": false, + "Locked": false + }, + "Cookies": { + "Behavior": "reject-tracker-and-partition-foreign", + "BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign" + }, + "Authentication": { + "SPNEGO": ["${domain}"], + "AllowNonFQDN": { + "SPNEGO": true + }, + "AllowProxies": { + "SPNEGO": true + } + }, + "NoDefaultBookmarks": true, + "DisablePocket": true, + "DisableAppUpdate": true, + "CaptivePortal": false, + "Certificates": { + "Install": [ + "${site_cacert_path}" + ] + }, + "DisableFeedbackCommands": true, + "DisableFirefoxAccounts": true, + "DisableFirefoxStudies": true, + "DisableTelemetry": true, + "DontCheckDefaultBrowser": true, + "OfferToSaveLoginsDefault": false, + "DNSOverHTTPS": { + "Enabled": false + }, + "SearchSuggestEnabled": false, + "Homepage": { + "URL": "about:home", + "StartPage": "homepage" + }, + "FirefoxHome": { + "Search": true, + "TopSites": false, + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false + }, + "ManagedBookmarks": [ + { + "toplevel_name": "Intranet" + }, + { + "url": "http://pkg.${domain}/poudriere/", + "name": "Poudriere" + } + ], + "ExtensionUpdate": true, + "Preferences": { + "dom.security.https_only_mode": { + "Value": true, + "Status": "locked" + }, + "dom.push.connection.enabled": { + "Value": false, + "Status": "default" + }, + "privacy.trackingprotection.socialtracking.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.nonsponsored": { + "Value": false, + "Status": "locked" + }, + "browser.urlbar.suggest.quicksuggest.sponsored": { + "Value": false, + "Status": "locked" + }, + "browser.toolbars.bookmarks.visibility": { + "Value": "newtab", + "Status": "default" + }, + "browser.safebrowsing.malware.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.phishing.enabled": { + "Value": false, + "Status": "locked" + }, + "browser.safebrowsing.downloads.enabled": { + "Value": false, + "Status": "locked" + } + } + } +} diff --git a/files/usr/local/lib/firefox/distribution/policies.json.laptop b/files/usr/local/lib/firefox/distribution/policies.json.laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.laptop @@ -0,0 +1 @@ +policies.json.desktop \ No newline at end of file diff --git a/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop b/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop new file mode 120000 index 0000000..93bcb92 --- /dev/null +++ b/files/usr/local/lib/firefox/distribution/policies.json.roadwarrior_laptop @@ -0,0 +1 @@ +policies.json.desktop \ No newline at end of file diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.common b/files/usr/local/lib/libreoffice/program/sofficerc.common deleted file mode 100644 index 77574a4..0000000 --- a/files/usr/local/lib/libreoffice/program/sofficerc.common +++ /dev/null @@ -1,18 +0,0 @@ -[Bootstrap] -CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash -CrashDumpEnable=true -HideEula=1 -Logo=0 -NativeProgress=false -ProgressBarColor=0,0,0 -ProgressFrameColor=102,102,102 -ProgressPosition=30,145 -ProgressSize=385,8 -ProgressTextBaseline=170 -ProgressTextColor=0,0,0 -SecureUserConfig=true -SecureUserConfigCompress=true -SecureUserConfigExtensions=true -SecureUserConfigMode=1 -SecureUserConfigNumCopies=2 -URE_BOOTSTRAP=${ORIGIN}/fundamentalrc diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.desktop b/files/usr/local/lib/libreoffice/program/sofficerc.desktop new file mode 100644 index 0000000..77574a4 --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.desktop @@ -0,0 +1,18 @@ +[Bootstrap] +CrashDirectory=${$BRAND_BASE_DIR/program/bootstraprc:UserInstallation}/crash +CrashDumpEnable=true +HideEula=1 +Logo=0 +NativeProgress=false +ProgressBarColor=0,0,0 +ProgressFrameColor=102,102,102 +ProgressPosition=30,145 +ProgressSize=385,8 +ProgressTextBaseline=170 +ProgressTextColor=0,0,0 +SecureUserConfig=true +SecureUserConfigCompress=true +SecureUserConfigExtensions=true +SecureUserConfigMode=1 +SecureUserConfigNumCopies=2 +URE_BOOTSTRAP=${ORIGIN}/fundamentalrc diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.laptop b/files/usr/local/lib/libreoffice/program/sofficerc.laptop new file mode 120000 index 0000000..0d2b44a --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.laptop @@ -0,0 +1 @@ +sofficerc.desktop \ No newline at end of file diff --git a/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop b/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop new file mode 120000 index 0000000..0d2b44a --- /dev/null +++ b/files/usr/local/lib/libreoffice/program/sofficerc.roadwarrior_laptop @@ -0,0 +1 @@ +sofficerc.desktop \ No newline at end of file diff --git a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server index c33b909..381032d 100644 --- a/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server +++ b/files/usr/local/libexec/idm-update-unbound-blocklists.idm_server @@ -3,8 +3,7 @@ set -eu -o pipefail prog=$(basename "$(readlink -f "$0")") -usage="${prog} BLOCKLIST_DIR - Blocklist URLs are read from stdin." +usage="${prog} URL_FILE WHITELIST_FILE BLOCKLIST_DIR" die() { printf '%s: %s\n' "$prog" "$*" 1>&2 @@ -16,17 +15,41 @@ usage(){ exit 2 } -[ $# -eq 1 ] || usage -case $1 in +case ${1:-} in -h|--help) usage ;; esac -[ -d "$1" ] || die "not a directory: ${1}" +[ $# -eq 3 ] || usage -cd "$1" +url_file=$1 +whitelist_file=$2 +blocklist_dir=$3 +[ -d "$blocklist_dir" ] || die "not a directory: ${blocklist_dir}" + +cd "$blocklist_dir" + +# Delete any existing zone files. find . -maxdepth 1 -type f -exec rm {} + -while read -r name url; do - [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" -done +if grep -q '[^[:space:]]' "$whitelist_file"; then + # If the whitelist file is non empty, compute a regex. + while read -r pattern; do + [ -n "$pattern" ] || continue + whitelist_regex="${whitelist_regex:+"${whitelist_regex}|"}${pattern}" + done < "$whitelist_file" + + # For each blocklist url, download the blocklist and filter out the whitelist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL "$url" | grep -Ev "^(.*\\.)?(${whitelist_regex})[[:space:]]" > "${name}.zone" + done < "$url_file" +else + # If no whitelist configured, just download each blocklist. + while read -r name url; do + [ -n "$url" ] && curl -sSfL -o "${name}.zone" "$url" + done < "$url_file" +fi + +# Try to reload unbound. +unbound_pidfile=$(/usr/local/sbin/unbound-checkconf -o pidfile /usr/local/etc/unbound/unbound.conf) +kill -HUP "$(cat "$unbound_pidfile")" ||: diff --git a/files/usr/local/libexec/nss-trust-root-ca.common b/files/usr/local/libexec/nss-trust-root-ca.common new file mode 100644 index 0000000..6a38a86 --- /dev/null +++ b/files/usr/local/libexec/nss-trust-root-ca.common @@ -0,0 +1,16 @@ +#!/bin/sh + +# Chromium no longer trusts the system certificate store. Instead, it uses the +# user's local NSS database, located at ~/.pki. +# +# This script adds our local root CA to the NSS DB, so that Chrome will trust it. + +cert_name="$(hostname -d) Root CA" +cert_path=/usr/local/etc/ssl/certs/ca.crt +nss_db_path="${HOME}/.pki/nssdb" + +mkdir -p "$nss_db_path" + +if ! certutil -d "sql:${nss_db_path}" -L -n "$cert_name" > /dev/null 2>&1; then + certutil -d "sql:${nss_db_path}" -A -t 'C,,' -n "$cert_name" -i "$cert_path" +fi diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common index a956d65..2d30d06 100644 --- a/files/usr/local/libexec/pam-create-local-homedir.common +++ b/files/usr/local/libexec/pam-create-local-homedir.common @@ -1,10 +1,3 @@ #!/bin/sh -set -e - -uid=$(id -u "$PAM_USER") - -if [ "$uid" -ge 1000 ]; then - install -m 0755 -d /usr/local/home - install -o "$uid" -g "$uid" -m 0700 -d "/usr/local/home/${PAM_USER}" -fi +install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/usr/local/home/${PAM_USER}" diff --git a/files/usr/local/override/applications/signal-desktop.desktop.common b/files/usr/local/override/applications/signal-desktop.desktop.common deleted file mode 100644 index d0c9160..0000000 --- a/files/usr/local/override/applications/signal-desktop.desktop.common +++ /dev/null @@ -1,12 +0,0 @@ -[Desktop Entry] -Type=Application -Name=Signal -Comment=Signal - Private Messenger -Icon=signal-desktop -Exec=signal-desktop --use-tray-icon -- %u -Terminal=false -Categories=Network;InstantMessaging; -StartupWMClass=Signal -MimeType=x-scheme-handler/sgnl; -Keywords=sgnl;chat;im;messaging;messenger;sms;security;privat; -X-GNOME-UsesNotifications=true diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.desktop b/files/usr/local/share-override/applications/chromium-browser.desktop.desktop new file mode 100644 index 0000000..cb5a5bf --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Type=Application +Version=1.0 +Encoding=UTF-8 +Name=Chromium +Comment=Google web browser based on WebKit +Icon=chrome +Exec=chrome ${chrome_flags} %U +Categories=Application;Network;WebBrowser; +MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp; +StartupNotify=true diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.laptop b/files/usr/local/share-override/applications/chromium-browser.desktop.laptop new file mode 120000 index 0000000..351c67b --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.laptop @@ -0,0 +1 @@ +chromium-browser.desktop.desktop \ No newline at end of file diff --git a/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop b/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop new file mode 120000 index 0000000..351c67b --- /dev/null +++ b/files/usr/local/share-override/applications/chromium-browser.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +chromium-browser.desktop.desktop \ No newline at end of file diff --git a/files/usr/local/share-override/applications/signal-desktop.desktop.desktop b/files/usr/local/share-override/applications/signal-desktop.desktop.desktop new file mode 100644 index 0000000..d0c9160 --- /dev/null +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.desktop @@ -0,0 +1,12 @@ +[Desktop Entry] +Type=Application +Name=Signal +Comment=Signal - Private Messenger +Icon=signal-desktop +Exec=signal-desktop --use-tray-icon -- %u +Terminal=false +Categories=Network;InstantMessaging; +StartupWMClass=Signal +MimeType=x-scheme-handler/sgnl; +Keywords=sgnl;chat;im;messaging;messenger;sms;security;privat; +X-GNOME-UsesNotifications=true diff --git a/files/usr/local/share-override/applications/signal-desktop.desktop.laptop b/files/usr/local/share-override/applications/signal-desktop.desktop.laptop new file mode 120000 index 0000000..6a702d4 --- /dev/null +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.laptop @@ -0,0 +1 @@ +signal-desktop.desktop.desktop \ No newline at end of file diff --git a/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop b/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop new file mode 120000 index 0000000..6a702d4 --- /dev/null +++ b/files/usr/local/share-override/applications/signal-desktop.desktop.roadwarrior_laptop @@ -0,0 +1 @@ +signal-desktop.desktop.desktop \ No newline at end of file diff --git a/lib/40-os b/lib/40-os index eee7392..c10da24 100644 --- a/lib/40-os +++ b/lib/40-os @@ -3,16 +3,17 @@ set_sysctl(){ # Set sysctl value(s) and persist them to /etc/sysctl.conf. # $1..$N = sysctl values (as "name=value" strings) + # The '|' character is unsupported within the sysctl value. while [ $# -gt 0 ]; do sysctl "$1" sed -i.bak "/^${1%%=*}=/{ h -s/=.*/=${1#*=}/ +s|=.*|=${1#*=}| } \${ x /^\$/{ -s//${1}/ +s||${1}| H } x @@ -26,18 +27,19 @@ set_loader_conf(){ # Set the FreeBSD bootloader options in /boot/loader.conf. # The host will be rebooted if the file is changed. # $1..$N = bootloader options (as "name=value" strings) + # The '|' character is unsupported within the option value. [ "$BOXCONF_OS" = freebsd ] || bug 'set_loader_conf can only be used on FreeBSD' while [ $# -gt 0 ]; do grep -qxF "${1%%=*}=\"${1#*=}\"" /boot/loader.conf || BOXCONF_NEED_REBOOT=true sed -i.bak "/^${1%%=*}=/{ h -s/=.*/=\"${1#*=}\"/ +s|=.*|=\"${1#*=}\"| } \${ x /^\$/{ -s//${1%%=*}=\"${1#*=}\"/ +s||${1%%=*}=\"${1#*=}\"| H } x diff --git a/scripts/hostclass/cups_server b/scripts/hostclass/cups_server index 6667829..d9b6e66 100644 --- a/scripts/hostclass/cups_server +++ b/scripts/hostclass/cups_server @@ -9,6 +9,9 @@ cups_tls_dir=${cups_conf_dir}/ssl cups_tls_cert="${cups_tls_dir}/${fqdn}.crt" cups_tls_key="${cups_tls_dir}/${fqdn}.key" +# Create dataset for persistent CUPS configuration. +create_dataset -o "mountpoint=${cups_conf_dir}" "${state_dataset}/cups" + # Install required packages. pkg install -y cups cups-filters diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index f9e7e94..148b596 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -4,10 +4,13 @@ : ${desktop_access_gid:='40000'} : ${sddm_min_uid:='10000'} : ${sddm_max_uid:='19999'} +: ${cups_host:='cups'} +: ${ublock_whitelist:=''} +: ${chrome_flags:=''} sddm_user=sddm - -# TODO: kill lingering processes after logout (chrome, baloo-search, etc). +cups_conf_dir=/usr/local/etc/cups +xdg_override_dir=/usr/local/share-override if [ "${enable_idm:-}" = false ]; then desktop_access_role=operator @@ -33,7 +36,9 @@ pkg install -y $desktop_common_packages install_file -m 0555 \ /usr/local/libexec/pam-create-local-homedir \ /etc/profile.d/local-homedir.sh -install_directory -m 0755 /usr/local/home + +# Create ZFS dataset for local homedirs. +create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" # Enable sndio. sysrc -v sndiod_enable=YES @@ -54,6 +59,10 @@ set_loader_conf cuse_load=YES sysrc -v webcamd_enable=YES service webcamd status || service webcamd start +# Create xdg autostart entry to add our Root CA to Chrome's certificate store. +install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop +install_file -m 0555 /usr/local/libexec/nss-trust-root-ca + case $desktop_type in i3) pkg install -y $desktop_i3_packages @@ -121,12 +130,13 @@ install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf # Create xdg override directory. install_directory -m 0755 \ - /usr/local/override \ - /usr/local/override/applications + "${xdg_override_dir}" \ + "${xdg_override_dir}/applications" # Create xdg application overrides. -install_file -m 0644 \ - /usr/local/override/applications/signal-desktop.desktop +install_template -m 0644 \ + "${xdg_override_dir}/applications/signal-desktop.desktop" \ + "${xdg_override_dir}/applications/chromium-browser.desktop" # Create polkit rules for shutdown/reboot/suspend install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules @@ -135,10 +145,14 @@ install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules sysrc -v dbus_enable=YES service dbus status || service dbus start +# Configure CUPS. +pkg install -y cups +install_template -m 0644 "${cups_conf_dir}/client.conf" + # Configure graphics drivers. case $graphics_type in intel) - pkg install -y drm-kmod + pkg install -y drm-kmod libva-intel-media-driver sysrc -v kld_list+=i915kms load_kernel_module i915kms set_loader_conf \ diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound index 01c1c70..d38194f 100644 --- a/scripts/hostclass/idm_server/40-unbound +++ b/scripts/hostclass/idm_server/40-unbound @@ -4,8 +4,10 @@ unbound_user=unbound unbound_conf_dir=/usr/local/etc/unbound unbound_blocklist_dir="${unbound_conf_dir}/blocklists" unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls" +unbound_whitelist_file="${unbound_conf_dir}/whitelist" : ${unbound_blocklist_urls:=''} +: ${unbound_whitelist:=''} : ${unbound_cache_max_negative_ttl:='60'} : ${unbound_rrset_cache_size:='104857600'} # 100 MB : ${unbound_msg_cache_size:='52428800'} # 50 MB @@ -24,9 +26,10 @@ install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir" install_template -m 0644 "${unbound_conf_dir}/unbound.conf" # Download blocklists. +echo "$unbound_whitelist" | tee "$unbound_whitelist_file" echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file" install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists -su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}" +su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir}" # Enable and start unbound. sysrc -v unbound_enable=YES @@ -36,5 +39,4 @@ service unbound restart install_template -m 0644 /etc/resolv.conf # Update blocklists with a cron job. -echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \ - | tee /etc/cron.d/idm-update-unbound-blocklists +install_template -m 0644 /etc/cron.d/unbound diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop deleted file mode 100644 index dba2c5f..0000000 --- a/scripts/hostclass/laptop +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -# Enable thinkpad hardware features. -load_kernel_module acpi_ibm -set_loader_conf acpi_ibm_load=YES - -# Set USB power savings -usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||: -install_file /etc/rc.local - -# Create devd rule for lid close. -install_file -m 0555 /usr/local/libexec/lid-close -install_file -m 0644 /etc/devd/lid-close.conf -service devd restart - -# Enable kernel module for Android USB tethering. -load_kernel_module if_urndis -set_loader_conf if_urndis_load=YES -sysrc -v ifconfig_ue0='DHCP' - -# Install laptop packages. -pkg install -y networkmgr - -# Misc power saving stuff. -set_loader_conf \ - vfs.zfs.txg.timeout=10 \ - -if [ "$graphics_type" = intel ]; then - set_loader_conf \ - compat.linuxkpi.i915_disable_power_well=1 \ - compat.linuxkpi.i915_enable_dc=2 -fi - -case ${wireless_type:-} in - iwm*) - set_loader_conf \ - if_iwm_load=YES \ - "${wireless_type}fw_load=YES" - - load_kernel_module \ - if_iwm \ - "${wireless_type}fw" - - sysrc -v wlans_iwm0='wlan0' - ;; -esac - -# Enable power saving for sound card. -set_sysctl hw.snd.latency=7 - -# Configure wireless card. -sysrc -v \ - create_args_wlan0='country US regdomain FCC' \ - ifconfig_wlan0="WPA DHCP powersave" - -# Hardware-specific fixes. -case ${laptop_type:-} in - thinkpad) - # Set brightness using function keys. - set_sysctl dev.acpi_ibm.0.handlerevents='0x10 0x11' - install_file -m 0555 /usr/local/libexec/thinkpad-brightness - install_file -m 0644 /etc/devd/thinkpad-brightness.conf - service devd restart - ;; -esac diff --git a/scripts/hostclass/laptop/10-desktop b/scripts/hostclass/laptop/10-desktop new file mode 120000 index 0000000..2c7c348 --- /dev/null +++ b/scripts/hostclass/laptop/10-desktop @@ -0,0 +1 @@ +../desktop \ No newline at end of file diff --git a/scripts/hostclass/laptop/20-laptop b/scripts/hostclass/laptop/20-laptop new file mode 100644 index 0000000..dba2c5f --- /dev/null +++ b/scripts/hostclass/laptop/20-laptop @@ -0,0 +1,65 @@ +#!/bin/sh + +# Enable thinkpad hardware features. +load_kernel_module acpi_ibm +set_loader_conf acpi_ibm_load=YES + +# Set USB power savings +usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||: +install_file /etc/rc.local + +# Create devd rule for lid close. +install_file -m 0555 /usr/local/libexec/lid-close +install_file -m 0644 /etc/devd/lid-close.conf +service devd restart + +# Enable kernel module for Android USB tethering. +load_kernel_module if_urndis +set_loader_conf if_urndis_load=YES +sysrc -v ifconfig_ue0='DHCP' + +# Install laptop packages. +pkg install -y networkmgr + +# Misc power saving stuff. +set_loader_conf \ + vfs.zfs.txg.timeout=10 \ + +if [ "$graphics_type" = intel ]; then + set_loader_conf \ + compat.linuxkpi.i915_disable_power_well=1 \ + compat.linuxkpi.i915_enable_dc=2 +fi + +case ${wireless_type:-} in + iwm*) + set_loader_conf \ + if_iwm_load=YES \ + "${wireless_type}fw_load=YES" + + load_kernel_module \ + if_iwm \ + "${wireless_type}fw" + + sysrc -v wlans_iwm0='wlan0' + ;; +esac + +# Enable power saving for sound card. +set_sysctl hw.snd.latency=7 + +# Configure wireless card. +sysrc -v \ + create_args_wlan0='country US regdomain FCC' \ + ifconfig_wlan0="WPA DHCP powersave" + +# Hardware-specific fixes. +case ${laptop_type:-} in + thinkpad) + # Set brightness using function keys. + set_sysctl dev.acpi_ibm.0.handlerevents='0x10 0x11' + install_file -m 0555 /usr/local/libexec/thinkpad-brightness + install_file -m 0644 /etc/devd/thinkpad-brightness.conf + service devd restart + ;; +esac diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop index 874f665..981e450 120000 --- a/scripts/hostclass/roadwarrior_laptop/20-laptop +++ b/scripts/hostclass/roadwarrior_laptop/20-laptop @@ -1 +1 @@ -../laptop \ No newline at end of file +../laptop/20-laptop \ No newline at end of file diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader index 438acc0..3209927 100644 --- a/scripts/os/freebsd/10-bootloader +++ b/scripts/os/freebsd/10-bootloader @@ -24,9 +24,7 @@ set_loader_conf \ pflog_load=YES \ security.bsd.allow_destructive_dtrace=0 -if [ "${serial_console:-}" = true ]; then - # Don't enable the serial console for all hosts indiscriminately. - # Somehow, having the serial console enabled breaks ConsoleKit. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = none ] && [ "$enable_serial_console" = true ]; then set_loader_conf \ boot_multicons=YES \ boot_serial=YES \ diff --git a/scripts/os/freebsd/10-cpu b/scripts/os/freebsd/10-cpu index ea2afcf..67aeb68 100644 --- a/scripts/os/freebsd/10-cpu +++ b/scripts/os/freebsd/10-cpu @@ -28,3 +28,8 @@ if sysctl -n dev.hwpstate_intel.0.epp >/dev/null 2>&1; then set_sysctl "dev.hwpstate_intel.${n}.epp=${intel_epp}" done fi + +# Enable CPU-related kernel modules. +set_loader_conf \ + cpuctl_load=YES \ + coretemp_load=YES diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index 0a9e882..ab7c2fd 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -20,6 +20,7 @@ pkg install -y \ # Configure PAM/NSS integration. install_file -m 0644 \ /etc/nsswitch.conf \ + /etc/pam.d/login \ /etc/pam.d/sshd \ /etc/pam.d/sudo diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode new file mode 100644 index 0000000..f9e213e --- /dev/null +++ b/scripts/os/freebsd/80-microcode @@ -0,0 +1,14 @@ +#!/bin/sh + +: ${microcode_name:='intel-ucode.bin'} + +# Only run this file on baremetal hosts. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then + return +fi + +pkg install -y cpu-microcode + +set_loader_conf \ + cpu_microcode_load=YES \ + cpu_microcode_name="/boot/firmware/${microcode_name}" diff --git a/site/scripts/hostname/rlaptop1 b/site/scripts/hostname/rlaptop1 deleted file mode 100644 index f346965..0000000 --- a/site/scripts/hostname/rlaptop1 +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -add_user \ - -c "Cullum Smith" \ - -G wheel,operator,video \ - -s /bin/sh \ - -m \ - -p changeme \ - cullum diff --git a/vars/common b/vars/common index 18df739..8e9fab0 100644 --- a/vars/common +++ b/vars/common @@ -38,6 +38,7 @@ nproc=$(nproc) allowed_tcp_ports=ssh bootstrap_resolvers='1.1.1.1' desktop_type=kde +enable_serial_console=true graphics_type=intel boxconf_username='s-boxconf' host_keytab_groupname=hostkeytab @@ -55,7 +56,6 @@ rspamd_port=11334 ssh_authzkeys_uid=789 ssh_authzkeys_username=sshkeys tcp_buffer_size=2097152 # suitable for 1 GigE -serial_console=false nginx_nofile=2048 nginx_worker_connections=768 diff --git a/vars/hostclass/desktop b/vars/hostclass/desktop index 8938965..0b11406 100644 --- a/vars/hostclass/desktop +++ b/vars/hostclass/desktop @@ -1,5 +1,11 @@ #!/bin/sh +# Let users run gdb/truss. +allow_proc_debug=1 + +# Serial console breaks ConsoleKit2. +enable_serial_console=false + # UID/GID hiding breaks consolekit and KDE screen locker. see_other_uids=1 @@ -7,22 +13,29 @@ see_other_uids=1 # cleared out, resulting in the socket being blown away. clear_tmp_enable=false +# Chromium seems to need this to enable VAAPI video decoding on intel. +chrome_flags='--enable-features=Vulkan,VulkanFromANGLE,DefaultANGLEVulkan' + +# signal-desktop requires pulseaudio for audio/video chat. SAD! desktop_common_packages=" bind-tools cantarell-fonts chromium droid-fonts-ttf eclipse +ffmpeg firefox git gnupg inconsolata-ttf krb5 libreoffice -libva-intel-media-driver +libva-utils +libvdpau-va-gl noto-basic noto-emoji password-store +pulseaudio py${python_version}-pip signal-desktop sndio @@ -32,6 +45,7 @@ terminus-ttf tmux tree ubuntu-font +vdpauinfo v4l-utils v4l_compat webcamd @@ -39,16 +53,20 @@ webfonts wireguard-tools xorg" -desktop_kde_packages=' +desktop_kde_packages=" +audacious +audacious-plugins dino gajim +gtksourceview4 juk k3b kde5 kid3-qt6 kmix konversation -sddm' +py${python_version}-omemo-dr +sddm" desktop_i3_packages=' compton diff --git a/vars/hostname/alcatraz1 b/vars/hostname/alcatraz1 deleted file mode 100644 index 9b2021c..0000000 --- a/vars/hostname/alcatraz1 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -serial_console=true -- cgit v1.2.3