From 145668c3dd67c5271eddcb62d1e7843487d768a7 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 15 Oct 2024 23:35:53 -0400 Subject: huge amount of fixes --- .../local/etc/nginx/vhosts.conf.invidious_server | 22 ++++++ .../usr/local/etc/nginx/vhosts.conf.pkg_repository | 7 +- files/usr/local/etc/openldap/ldap.conf.common | 1 + files/usr/local/etc/openldap/ldap.conf.idm_server | 1 + .../etc/polkit-1/rules.d/51-desktop.rules.desktop | 8 +++ .../local/etc/poudriere.d/make.conf.pkg_repository | 4 +- .../patches/chromium-gssapi.patch.pkg_repository | 54 +++++++++++++++ .../local/etc/poudriere.d/pkglist.pkg_repository | 57 +++++++++++++-- .../etc/raddb/mods-available/eap.radius_server | 42 ++++++++++++ .../usr/local/etc/raddb/radiusd.conf.radius_server | 80 ++++++++++++++++++++++ .../usr/local/etc/rc.d/invidious.invidious_server | 41 +++++++++++ files/usr/local/etc/sddm.conf.common | 9 +++ files/usr/local/etc/ssh/sshd_config.freebsd | 2 + 13 files changed, 320 insertions(+), 8 deletions(-) create mode 100644 files/usr/local/etc/nginx/vhosts.conf.invidious_server create mode 100644 files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop create mode 100644 files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository create mode 100644 files/usr/local/etc/raddb/mods-available/eap.radius_server create mode 100644 files/usr/local/etc/raddb/radiusd.conf.radius_server create mode 100644 files/usr/local/etc/rc.d/invidious.invidious_server create mode 100644 files/usr/local/etc/sddm.conf.common (limited to 'files/usr/local/etc') diff --git a/files/usr/local/etc/nginx/vhosts.conf.invidious_server b/files/usr/local/etc/nginx/vhosts.conf.invidious_server new file mode 100644 index 0000000..35947dc --- /dev/null +++ b/files/usr/local/etc/nginx/vhosts.conf.invidious_server @@ -0,0 +1,22 @@ +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + + ssl_certificate ${invidious_https_cert}; + ssl_certificate_key ${invidious_https_key}; + + add_header Strict-Transport-Security "max-age=63072000" always; + + location / { + proxy_http_version 1.1; + proxy_set_header Connection ""; + + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + proxy_pass http://127.0.0.1:${invidious_port}; + } +} diff --git a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository index 8177626..73c5754 100644 --- a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository +++ b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository @@ -1,9 +1,14 @@ server { listen 0.0.0.0:80 default_server; - listen [::]:80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; server_name ${fqdn}; root ${poudriere_data_dir}/data/packages; + ssl_certificate ${poudriere_https_cert}; + ssl_certificate_key ${poudriere_https_key}; + include mime.types; types { text/plain log; diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common index 22b20bb..af1781e 100644 --- a/files/usr/local/etc/openldap/ldap.conf.common +++ b/files/usr/local/etc/openldap/ldap.conf.common @@ -12,3 +12,4 @@ USERS_BASE ${users_basedn} GROUPS_BASE ${groups_basedn} HOSTS_BASE ${hosts_basedn} ROLES_BASE ${roles_basedn} +AUTOMOUNT_BASE ${automount_basedn} diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server index 4c7a929..aa6f8c9 100644 --- a/files/usr/local/etc/openldap/ldap.conf.idm_server +++ b/files/usr/local/etc/openldap/ldap.conf.idm_server @@ -12,3 +12,4 @@ USERS_BASE ${users_basedn} GROUPS_BASE ${groups_basedn} HOSTS_BASE ${hosts_basedn} ROLES_BASE ${roles_basedn} +AUTOMOUNT_BASE ${automount_basedn} diff --git a/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop new file mode 100644 index 0000000..d57c4b9 --- /dev/null +++ b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop @@ -0,0 +1,8 @@ +polkit.addRule(function (action, subject) { + if ((action.id == "org.freedesktop.consolekit.system.restart" || + action.id == "org.freedesktop.consolekit.system.stop" || + action.id == "org.freedesktop.consolekit.system.suspend") + && subject.isInGroup("${desktop_access_role}")) { + return polkit.Result.YES; + } +}); diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 6ef6f4a..7c69474 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -10,8 +10,8 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT # Per-port options databases_akonadi_SET=MYSQL databases_luadbi_SET=PGSQL -databases_postgresql${postgresql_version}-client_SET=PAM -databases_postgresql${postgresql_version}-server_SET=PAM +databases_postgresql${postgresql_version}-client_SET=PAM LDAP +databases_postgresql${postgresql_version}-server_SET=PAM LDAP devel_apr1_SET=LDAP devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC diff --git a/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository new file mode 100644 index 0000000..7cb0372 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository @@ -0,0 +1,54 @@ +--- www/chromium/Makefile 2024-10-14 22:31:01.044557000 -0400 ++++ www/chromium/Makefile 2024-10-14 22:37:11.304192000 -0400 +@@ -144,19 +144,20 @@ + SUB_FILES= chromium-browser.desktop chrome + SUB_LIST+= COMMENT="${COMMENT}" + +-OPTIONS_DEFINE= CODECS CUPS DEBUG DRIVER KERBEROS LTO PIPEWIRE TEST WIDEVINE +-OPTIONS_DEFAULT= CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO ++OPTIONS_DEFINE= CODECS CUPS DEBUG DRIVER LTO PIPEWIRE TEST WIDEVINE ++OPTIONS_DEFAULT= CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO GSSAPI_MIT + OPTIONS_EXCLUDE_aarch64=LTO + OPTIONS_GROUP= AUDIO + OPTIONS_GROUP_AUDIO= ALSA PULSEAUDIO SNDIO +-OPTIONS_RADIO= KERBEROS +-OPTIONS_RADIO_KERBEROS= HEIMDAL HEIMDAL_BASE MIT ++OPTIONS_SINGLE= KERBEROS ++OPTIONS_SINGLE_KERBEROS=GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT + OPTIONS_SUB= yes + CODECS_DESC= Compile and enable patented codecs like H.264 + DRIVER_DESC= Install chromedriver +-HEIMDAL_BASE_DESC= Heimdal Kerberos (base) +-HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) +-MIT_DESC= MIT Kerberos (security/krb5) ++GSSAPI_NONE_DESC= Build without GSSAPI support ++GSSAPI_BASE_DESC= Use GSSAPI from base ++GSSAPI_HEIMDAL_DESC= Use Heimdal GSSAPI from security/heimdal ++GSSAPI_MIT_DESC= Use MIT GSSAPI from security/krb5 + + ALSA_LIB_DEPENDS= libasound.so:audio/alsa-lib + ALSA_RUN_DEPENDS= ${LOCALBASE}/lib/alsa-lib/libasound_module_pcm_oss.so:audio/alsa-plugins \ +@@ -189,16 +190,19 @@ + + DRIVER_MAKE_ARGS= chromedriver + +-HEIMDAL_LIB_DEPENDS= libkrb.so.26:security/heimdal +-KERBEROS_VARS= GN_ARGS+=use_kerberos=true +-KERBEROS_VARS_OFF= GN_ARGS+=use_kerberos=false ++GSSAPI_BASE_USES= gssapi ++GSSAPI_HEIMDAL_USES= gssapi:heimdal ++GSSAPI_MIT_USES= gssapi:mit ++GSSAPI_BASE_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_MIT_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_HEIMDAL_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_NONE_VARS= GN_ARGS+=use_kerberos=false + + LTO_VARS= GN_ARGS+=use_thin_lto=true \ + GN_ARGS+=thin_lto_enable_optimizations=true \ + WANTSPACE="14 GB" + LTO_VARS_OFF= GN_ARGS+=use_thin_lto=false + +-MIT_LIB_DEPENDS= libkrb.so.3:security/krb5 + + PIPEWIRE_DESC= Screen capture via PipeWire + PIPEWIRE_LIB_DEPENDS= libpipewire-0.3.so:multimedia/pipewire diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index ec63f48..35b8f9a 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -1,5 +1,11 @@ +archivers/7-zip archivers/php${php_version}-phar archivers/php${php_version}-zip +archivers/unzip +archivers/zip +audio/juk +audio/kid3 +audio/kmix converters/php${php_version}-iconv converters/php${php_version}-mbstring databases/luadbi @@ -11,25 +17,38 @@ databases/postgresql${postgresql_version}-client databases/postgresql${postgresql_version}-server databases/redis devel/ccache +devel/cgit devel/git@lite +devel/gitolite devel/php${php_version}-gettext devel/php${php_version}-intl devel/php${php_version}-pcntl devel/php${php_version}-tokenizer +devel/py-pip +devel/shards dns/bind-tools dns/nsd dns/powerdns dns/unbound +editors/libreoffice editors/vim@console editors/vim@tiny +finance/gnucash +finance/kmymoney ftp/php${php_version}-curl +graphics/ImageMagick7@nox11 +graphics/drm-kmod +graphics/p5-Image-ExifTool graphics/php${php_version}-exif graphics/php${php_version}-gd +irc/konversation irc/znc irc/znc-clientbuffer +java/eclipse java/openjdk21 -lang/python +lang/crystal lang/php${php_version} +lang/python mail/dovecot mail/dovecot-pigeonhole mail/isync @@ -38,27 +57,37 @@ mail/postfix mail/rspamd mail/sieve-connect misc/php${php_version}-calendar +multimedia/audacious +multimedia/libva-intel-media-driver +multimedia/makemkv +net-im/dino +net-im/gajim +net-im/prosody +net-im/prosody-modules +net-im/signal-desktop +net-mgmt/unifi8 net/asterisk18 +net/freeradius3 net/lualdap net/nss-pam-ldapd-sasl net/openldap26-client net/openldap26-server net/p5-perl-ldap net/php${php_version}-ldap +net/php${php_version}-sockets net/py-python-ldap net/rsync -net/php${php_version}-sockets net/turnserver -net-im/prosody -net-im/prosody-modules +net/wireguard-tools ports-mgmt/poudriere print/cups print/cups-filters security/acme.sh +security/bitwarden-cli security/cyrus-sasl2-saslauthd -security/kstart security/krb5@default security/krb5@ldap +security/kstart security/openssh-portable security/pam_krb5@mit security/pam_mkhomedir @@ -67,20 +96,38 @@ security/sshpass security/sudo security/vaultwarden sysutils/htop +sysutils/k3b sysutils/lsof sysutils/p5-Sys-Syslog +sysutils/password-store sysutils/php${php_version}-fileinfo sysutils/php${php_version}-posix sysutils/pwgen sysutils/stow sysutils/tmux sysutils/tree +textproc/hs-pandoc +textproc/jq textproc/p5-YAML textproc/php${php_version}-ctype textproc/php${php_version}-dom textproc/php${php_version}-simplexml textproc/php${php_version}-xml textproc/php${php_version}-xmlwriter +textproc/py-docutils +textproc/py-markdown +textproc/py-pygments +www/chromium +www/fcgiwrap +www/firefox +www/linux-widevine-cdm www/nginx www/php${php_version}-opcache www/php${php_version}-session +www/w3m +x11-fonts/terminus-font +x11-fonts/terminus-ttf +x11/kde5 +x11/sddm +x11/xev +x11/xorg diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server new file mode 100644 index 0000000..5c1aafd --- /dev/null +++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server @@ -0,0 +1,42 @@ +eap { + default_eap_type = tls + timer_expire = 60 + ignore_unknown_eap_types = yes + cisco_accounting_username_bug = no + max_sessions = \${max_requests} + + tls-config tls-common { + private_key_password = + private_key_file = ${freeradius_tls_key} + certificate_file = ${freeradius_tls_cert} + ca_file = ${site_cacert_path} + ca_path = \${cadir} + auto_chain = no + check_crl = no + cipher_list = "DEFAULT" + cipher_server_preference = no + tls_min_version = "1.2" + tls_max_version = "1.3" + ecdh_curve = "" + + cache { + enable = yes + lifetime = 24 # hours + name = "EAP module" + persist_dir = "${freeradius_tlscache_dir}" + store { + Tunnel-Private-Group-Id + } + } + + verify { } + + ocsp { + enable = no + } + } + + tls { + tls = tls-common + } +} diff --git a/files/usr/local/etc/raddb/radiusd.conf.radius_server b/files/usr/local/etc/raddb/radiusd.conf.radius_server new file mode 100644 index 0000000..cc5a7a3 --- /dev/null +++ b/files/usr/local/etc/raddb/radiusd.conf.radius_server @@ -0,0 +1,80 @@ +prefix = /usr/local +exec_prefix = \${prefix} +sysconfdir = \${prefix}/etc +localstatedir = /var +sbindir = \${exec_prefix}/sbin +logdir = /var/log +raddbdir = \${sysconfdir}/raddb +radacctdir = \${logdir}/radacct + +name = radiusd + +confdir = \${raddbdir} +modconfdir = \${confdir}/mods-config +certdir = \${confdir}/certs +cadir = \${confdir}/certs +run_dir = \${localstatedir}/run/\${name} + +db_dir = \${raddbdir} + +libdir = /usr/local/lib/freeradius-${freeradius_version} + +pidfile = \${run_dir}/\${name}.pid + +max_request_time = 30 + +cleanup_delay = 5 + +max_requests = 16384 + +hostname_lookups = no + +log { + destination = syslog + colourise = no + file = \${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = no + auth_goodpass = no + msg_denied = "You are already logged in - access denied" +} + +checkrad = \${sbindir}/checkrad + +ENV { } + +security { + allow_core_dumps = no + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +proxy_requests = yes +\$INCLUDE proxy.conf + +\$INCLUDE clients.conf + + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +modules { + \$INCLUDE mods-enabled/ +} + +instantiate { } + +policy { + \$INCLUDE policy.d/ +} + +\$INCLUDE sites-enabled/ diff --git a/files/usr/local/etc/rc.d/invidious.invidious_server b/files/usr/local/etc/rc.d/invidious.invidious_server new file mode 100644 index 0000000..44acbad --- /dev/null +++ b/files/usr/local/etc/rc.d/invidious.invidious_server @@ -0,0 +1,41 @@ +#!/bin/sh + +# PROVIDE: invidious +# REQUIRE: NETWORKING +# KEYWORD: shutdown + +. /etc/rc.subr + +name=invidious +rcvar=invidious_enable + +load_rc_config "$name" + +: ${invidious_enable:='NO'} +: ${invidious_dir:='/usr/local/invidious/invidious.git'} +: ${invidious_user='www'} +: ${invidious_syslog_priority:='info'} +: ${invidious_syslog_facility:='daemon'} + +invidious_syslog_tag=invidious + +invidious_chdir=$invidious_dir +pidfile=/var/run/invidious/invidious.pid +command=/usr/sbin/daemon + +command_args="-f \ +-s ${invidious_syslog_priority} \ +-l ${invidious_syslog_facility} \ +-T ${invidious_syslog_tag} \ +-p ${pidfile} \ +-t invidious \ +${invidious_dir}/invidious" + +procname="${invidious_dir}/invidious" +start_precmd=invidious_prestart + +invidious_prestart(){ + install -d -m 0755 -o ${invidious_user} /var/run/invidious +} + +run_rc_command "$1" diff --git a/files/usr/local/etc/sddm.conf.common b/files/usr/local/etc/sddm.conf.common new file mode 100644 index 0000000..09c2000 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.common @@ -0,0 +1,9 @@ +[General] +DisplayServer = x11 + +[Wayland] +SessionDir = /dev/null + +[Users] +MinimumUid = ${sddm_min_uid} +MaximumUid = ${sddm_max_uid} diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd index eca2276..0e0d730 100644 --- a/files/usr/local/etc/ssh/sshd_config.freebsd +++ b/files/usr/local/etc/ssh/sshd_config.freebsd @@ -13,4 +13,6 @@ GSSAPICleanupCredentials yes UsePAM yes UseDNS no +# TODO: require group to login? + Subsystem sftp /usr/local/libexec/sftp-server -- cgit v1.2.3