From 8e3d7dfa20b966b928078d8071d10fb186a0d781 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Mon, 21 Oct 2024 09:17:49 -0400
Subject: cleanup nfs1 host script

---
 files/etc/cron.d/poudriere.pkg_server              |   1 +
 files/etc/cron.d/zfs-trim.freebsd                  |   4 +-
 .../local/libexec/poudriere-cron.pkg_repository    |   2 +-
 lib/30-files                                       |   9 ++
 scripts/hostclass/nfs_server                       |   3 +
 scripts/hostclass/pkg_repository                   |   3 +-
 scripts/hostname/nfs1                              | 134 ---------------------
 scripts/hostname/nfs1/10-homedirs                  |  50 ++++++++
 scripts/hostname/nfs1/20-shares                    |  11 ++
 scripts/hostname/nfs1/30-autofs                    |  81 +++++++++++++
 10 files changed, 158 insertions(+), 140 deletions(-)
 create mode 100644 files/etc/cron.d/poudriere.pkg_server
 delete mode 100644 scripts/hostname/nfs1
 create mode 100644 scripts/hostname/nfs1/10-homedirs
 create mode 100644 scripts/hostname/nfs1/20-shares
 create mode 100644 scripts/hostname/nfs1/30-autofs

diff --git a/files/etc/cron.d/poudriere.pkg_server b/files/etc/cron.d/poudriere.pkg_server
new file mode 100644
index 0000000..57d9dac
--- /dev/null
+++ b/files/etc/cron.d/poudriere.pkg_server
@@ -0,0 +1 @@
+@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron $(echo "$poudriere_versions" | tr . _)
diff --git a/files/etc/cron.d/zfs-trim.freebsd b/files/etc/cron.d/zfs-trim.freebsd
index 64b07b9..80e0cd5 100644
--- a/files/etc/cron.d/zfs-trim.freebsd
+++ b/files/etc/cron.d/zfs-trim.freebsd
@@ -1,3 +1 @@
-SHELL=/bin/sh
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-@weekly root zfs list -Ho name | xargs -r -n1 zpool trim
+@weekly root zpool list -Ho name | xargs -r -n1 zpool trim
diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository
index b79535b..f7a5c1c 100644
--- a/files/usr/local/libexec/poudriere-cron.pkg_repository
+++ b/files/usr/local/libexec/poudriere-cron.pkg_repository
@@ -16,7 +16,7 @@ done
 
 for jail in "$@"; do
   poudriere jail -u -j "$jail" > /dev/null
-  poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null
+  poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm > /dev/null
   poudriere bulk -j "$jail" -f  /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null
 done
 
diff --git a/lib/30-files b/lib/30-files
index 767bbeb..4ba6587 100644
--- a/lib/30-files
+++ b/lib/30-files
@@ -179,3 +179,12 @@ install_ca_certificate(){
   install -m "$_bcicc_mode" $_bcicc_install_args "${BOXCONF_CA_DIR}/ca.crt" "$1"
   log "installed root CA to ${1}"
 }
+
+set_facl(){
+  # Replaces the NFSv4 ACL on a file with the specified ACL list.
+  # $1 = path
+  # $2-$N = ACL entries
+  [ "$BOXCONF_OS" = freebsd ] || bug 'set_facl only supported on FreeBSD'
+  _bcsetfacl_path=$1; shift
+  setfacl -b -a 0 "$(join ',' "$@")" "$_bcsetfacl_path"
+}
diff --git a/scripts/hostclass/nfs_server b/scripts/hostclass/nfs_server
index ec06bfe..a775859 100644
--- a/scripts/hostclass/nfs_server
+++ b/scripts/hostclass/nfs_server
@@ -13,6 +13,9 @@ nfs_dataset="${state_dataset}/nfs"
 # Create ZFS dataset for NFS share.
 create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}"
 
+# Allow NFSv4 ACLs to propagate.
+zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset"
+
 # Create nfs service principal and keytab.
 add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}"
 ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}"
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository
index 7226b77..969dff7 100644
--- a/scripts/hostclass/pkg_repository
+++ b/scripts/hostclass/pkg_repository
@@ -99,8 +99,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere"
 
 # Create cron job to update packages automatically.
 install_file -m 0555 /usr/local/libexec/poudriere-cron
-echo "@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron $(echo "$poudriere_versions" | tr . _)" \
-  | tee /etc/cron.d/poudriere
+install_file -m 0644 /etc/cron.d/poudriere
 
 # Now that we have a valid repo, switch the pkg repo to the local filesystem.
 install_directory -m 0755 \
diff --git a/scripts/hostname/nfs1 b/scripts/hostname/nfs1
deleted file mode 100644
index 673c7a9..0000000
--- a/scripts/hostname/nfs1
+++ /dev/null
@@ -1,134 +0,0 @@
-#!/bin/sh
-
-nfs_mount_opts='-nfsv4,gssname=host,sec=krb5p'
-
-default_priv_quota=250G
-default_pub_quota=10G
-
-# Add /home autofs map.
-ldap_add "automountKey=/home,automountMapName=auto_master,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: /home
-automountInformation: auto_home ${nfs_mount_opts}
-EOF
-ldap_add "automountMapName=auto_home,${automount_basedn}" <<EOF
-objectClass: automountMap
-automountMapName: auto_home
-EOF
-ldap_add "automountKey=*,automountMapName=auto_home,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: *
-automountInformation: ${fqdn}:/user/&/priv
-EOF
-
-# Create /- (direct) autofs map
-ldap_add "automountKey=/-,automountMapName=auto_master,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: /-
-automountInformation: auto_direct ${nfs_mount_opts}
-EOF
-ldap_add "automountMapName=auto_direct,${automount_basedn}" <<EOF
-objectClass: automountMap
-automountMapName: auto_direct
-EOF
-
-# Create /nfs/user autofs map.
-ldap_add "automountKey=/nfs/user,automountMapName=auto_master,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: /nfs/user
-automountInformation: auto_user ${nfs_mount_opts}
-EOF
-ldap_add "automountMapName=auto_user,${automount_basedn}" <<EOF
-objectClass: automountMap
-automountMapName: auto_user
-EOF
-
-# Create user home directories.
-for userquota in ${nfs_homedirs:-}; do
-  user=$(echo "$userquota" | awk -F: '{print $1}')
-  privquota=$(echo "$userquota" | awk -F: '{print $2}')
-  pubquota=$(echo "$userquota" | awk -F: '{print $3}')
-
-  create_dataset -p "${nfs_dataset}/user/${user}/priv"
-  create_dataset -p "${nfs_dataset}/user/${user}/pub"
-
-  zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/user/${user}/priv"
-  zfs set "refquota=${pubquota:-$default_pub_quota}"   "${nfs_dataset}/user/${user}/pub"
-
-  chown "${user}:${user}" \
-    "${nfs_root}/user/${user}/priv" \
-    "${nfs_root}/user/${user}/pub"
-
-  chmod 700 "${nfs_root}/user/${user}/priv"
-  chmod 755 "${nfs_root}/user/${user}/pub"
-
-  # Create user autofs key.
-  ldap_add "automountKey=${user},automountMapName=auto_user,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: ${user}
-automountInformation: /priv ${fqdn}:/user/&/priv /pub ${fqdn}:/user/&/pub
-EOF
-done
-
-# Add /nfs/group autofs map.
-ldap_add "automountKey=/nfs/group,automountMapName=auto_master,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: /nfs/group
-automountInformation: auto_group ${nfs_mount_opts}
-EOF
-ldap_add "automountMapName=auto_group,${automount_basedn}" <<EOF
-objectClass: automountMap
-automountMapName: auto_group
-EOF
-
-# Create group home directories.
-for groupquota in ${nfs_groupdirs:-}; do
-  group=$(echo "$groupquota" | awk -F: '{print $1}')
-  privquota=$(echo "$groupquota" | awk -F: '{print $2}')
-  pubquota=$(echo "$groupquota" | awk -F: '{print $3}')
-
-  create_dataset -p "${nfs_dataset}/group/${group}/priv"
-  create_dataset -p "${nfs_dataset}/group/${group}/pub"
-
-  zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/group/${group}/priv"
-  zfs set "refquota=${pubquota:-$default_pub_quota}"   "${nfs_dataset}/group/${group}/pub"
-
-  chown "root:${group}" \
-    "${nfs_root}/group/${group}/priv" \
-    "${nfs_root}/group/${group}/pub"
-
-  chmod 770 "${nfs_root}/group/${group}/priv"
-  chmod 775 "${nfs_root}/group/${group}/pub"
-
-  # Create group autofs key.
-  ldap_add "automountKey=${group},automountMapName=auto_group,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: ${group}
-automountInformation: /priv ${fqdn}:/group/&/priv /pub ${fqdn}:/group/&/pub
-EOF
-done
-
-# Add /nfs/media autofs map.
-ldap_add "automountMapName=auto_media,${automount_basedn}" <<EOF
-objectClass: automountMap
-automountMapName: auto_media
-EOF
-ldap_add "automountKey=/nfs/media,automountMapName=auto_master,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: /nfs/media
-automountInformation: auto_media ${nfs_mount_opts}
-EOF
-
-# Create music dataset.
-create_dataset -p "${nfs_dataset}/media/music"
-
-# Set music ACLs.
-chgrp media-admin "${nfs_root}/media/music"
-chmod 770 "${nfs_root}/media/music"
-
-# Create music autofs key.
-ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF
-objectClass: automount
-automountKey: music
-automountInformation: ${fqdn}:/media/music
-EOF
diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs
new file mode 100644
index 0000000..f2cd25c
--- /dev/null
+++ b/scripts/hostname/nfs1/10-homedirs
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+default_priv_quota=250G
+default_pub_quota=10G
+
+# Create user home directories.
+for userquota in ${nfs_homedirs:-}; do
+  user=$(echo "$userquota" | awk -F: '{print $1}')
+  privquota=$(echo "$userquota" | awk -F: '{print $2}')
+  pubquota=$(echo "$userquota" | awk -F: '{print $3}')
+
+  create_dataset -p "${nfs_dataset}/user/${user}/priv"
+  create_dataset -p "${nfs_dataset}/user/${user}/pub"
+
+  zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/user/${user}/priv"
+  zfs set "refquota=${pubquota:-$default_pub_quota}"   "${nfs_dataset}/user/${user}/pub"
+
+  chown "${user}:${user}" \
+    "${nfs_root}/user/${user}/priv" \
+    "${nfs_root}/user/${user}/pub"
+
+  chmod 700 "${nfs_root}/user/${user}/priv"
+  chmod 755 "${nfs_root}/user/${user}/pub"
+done
+
+# Create group home directories.
+for groupquota in ${nfs_groupdirs:-}; do
+  group=$(echo "$groupquota" | awk -F: '{print $1}')
+  privquota=$(echo "$groupquota" | awk -F: '{print $2}')
+  pubquota=$(echo "$groupquota" | awk -F: '{print $3}')
+
+  create_dataset -p "${nfs_dataset}/group/${group}/priv"
+  create_dataset -p "${nfs_dataset}/group/${group}/pub"
+
+  zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/group/${group}/priv"
+  zfs set "refquota=${pubquota:-$default_pub_quota}"   "${nfs_dataset}/group/${group}/pub"
+
+  chown "root:${group}" \
+    "${nfs_root}/group/${group}/priv" \
+    "${nfs_root}/group/${group}/pub"
+
+  chmod 770 "${nfs_root}/group/${group}/priv"
+  chmod 775 "${nfs_root}/group/${group}/pub"
+
+  for sub in priv pub; do
+    set_facl "${nfs_root}/group/${group}/${sub}" \
+       group:${group}:rwpDdaARWcs:fd:allow \
+       group:${group}:x:d:allow
+  done
+done
diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares
new file mode 100644
index 0000000..ef013cc
--- /dev/null
+++ b/scripts/hostname/nfs1/20-shares
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# media/music
+create_dataset -p "${nfs_dataset}/media/music"
+chgrp media-admin "${nfs_root}/media/music"
+chmod 2770 "${nfs_root}/media/music"
+set_facl "${nfs_root}/media/music" \
+   group:media-admin:rwpDdaARWcs:fd:allow \
+   group:media-admin:x:d:allow \
+   group:media-access:raRcs:fd:allow \
+   group:media-access:x:d:allow
diff --git a/scripts/hostname/nfs1/30-autofs b/scripts/hostname/nfs1/30-autofs
new file mode 100644
index 0000000..0393acc
--- /dev/null
+++ b/scripts/hostname/nfs1/30-autofs
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+nfs_mount_opts='-nfsv4,gssname=host,sec=krb5p'
+
+# /home: auto_home
+ldap_add "automountKey=/home,automountMapName=auto_master,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: /home
+automountInformation: auto_home ${nfs_mount_opts}
+EOF
+ldap_add "automountMapName=auto_home,${automount_basedn}" <<EOF
+objectClass: automountMap
+automountMapName: auto_home
+EOF
+
+# auto_home: *
+ldap_add "automountKey=*,automountMapName=auto_home,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: *
+automountInformation: ${fqdn}:/user/&/priv
+EOF
+
+# /nfs/user: auto_user
+ldap_add "automountKey=/nfs/user,automountMapName=auto_master,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: /nfs/user
+automountInformation: auto_user ${nfs_mount_opts}
+EOF
+ldap_add "automountMapName=auto_user,${automount_basedn}" <<EOF
+objectClass: automountMap
+automountMapName: auto_user
+EOF
+
+# auto_user: $user/{pub,priv}
+for userquota in ${nfs_homedirs:-}; do
+  user=$(echo "$userquota" | awk -F: '{print $1}')
+  ldap_add "automountKey=${user},automountMapName=auto_user,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: ${user}
+automountInformation: /priv ${fqdn}:/user/&/priv /pub ${fqdn}:/user/&/pub
+EOF
+done
+
+# /nfs/group: auto_group
+ldap_add "automountKey=/nfs/group,automountMapName=auto_master,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: /nfs/group
+automountInformation: auto_group ${nfs_mount_opts}
+EOF
+ldap_add "automountMapName=auto_group,${automount_basedn}" <<EOF
+objectClass: automountMap
+automountMapName: auto_group
+EOF
+
+# auto_group: $group/{pub,priv}
+for groupquota in ${nfs_groupdirs:-}; do
+  group=$(echo "$groupquota" | awk -F: '{print $1}')
+  ldap_add "automountKey=${group},automountMapName=auto_group,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: ${group}
+automountInformation: /priv ${fqdn}:/group/&/priv /pub ${fqdn}:/group/&/pub
+EOF
+done
+
+# /nfs/media: auto_media
+ldap_add "automountMapName=auto_media,${automount_basedn}" <<EOF
+objectClass: automountMap
+automountMapName: auto_media
+EOF
+ldap_add "automountKey=/nfs/media,automountMapName=auto_master,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: /nfs/media
+automountInformation: auto_media ${nfs_mount_opts}
+EOF
+
+# auto_media: music
+ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF
+objectClass: automount
+automountKey: music
+automountInformation: ${fqdn}:/media/music
+EOF
-- 
cgit v1.2.3