From a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Thu, 3 Oct 2024 22:38:06 -0400 Subject: more postfix/rspamd stuff --- files/usr/local/etc/mail/mailer.conf.smtp_server | 7 +++ files/usr/local/etc/nginx/acme.conf.common | 4 -- files/usr/local/etc/nginx/nginx.conf-acme | 55 ---------------- files/usr/local/etc/nginx/nginx.conf.common | 26 +++++++- files/usr/local/etc/nginx/nginx.conf.smtp_server | 1 - files/usr/local/etc/nginx/vhosts.conf.smtp_server | 13 ++-- files/usr/local/etc/postfix/main.cf.smtp_server | 7 +-- .../local/etc/poudriere.d/make.conf.pkg_repository | 6 +- .../postgresql16-gssapi.patch.pkg_repository | 73 ++++++++++++++++++++++ .../local/etc/poudriere.d/pkglist.pkg_repository | 16 +++++ 10 files changed, 137 insertions(+), 71 deletions(-) create mode 100644 files/usr/local/etc/mail/mailer.conf.smtp_server delete mode 100644 files/usr/local/etc/nginx/acme.conf.common delete mode 100644 files/usr/local/etc/nginx/nginx.conf-acme delete mode 120000 files/usr/local/etc/nginx/nginx.conf.smtp_server create mode 100644 files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository (limited to 'files/usr/local/etc') diff --git a/files/usr/local/etc/mail/mailer.conf.smtp_server b/files/usr/local/etc/mail/mailer.conf.smtp_server new file mode 100644 index 0000000..d15a587 --- /dev/null +++ b/files/usr/local/etc/mail/mailer.conf.smtp_server @@ -0,0 +1,7 @@ +# +# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail +# +sendmail /usr/local/sbin/sendmail +send-mail /usr/local/sbin/sendmail +mailq /usr/local/sbin/sendmail +newaliases /usr/local/sbin/sendmail diff --git a/files/usr/local/etc/nginx/acme.conf.common b/files/usr/local/etc/nginx/acme.conf.common deleted file mode 100644 index 583ca98..0000000 --- a/files/usr/local/etc/nginx/acme.conf.common +++ /dev/null @@ -1,4 +0,0 @@ -location /.well-known/acme-challenge/ { - root ${acme_webroot}; - default_type text/plain; -} diff --git a/files/usr/local/etc/nginx/nginx.conf-acme b/files/usr/local/etc/nginx/nginx.conf-acme deleted file mode 100644 index d77c0de..0000000 --- a/files/usr/local/etc/nginx/nginx.conf-acme +++ /dev/null @@ -1,55 +0,0 @@ -worker_processes ${nginx_worker_processes}; -worker_rlimit_nofile ${nginx_nofile}; - -events { - worker_connections ${nginx_worker_connections}; -} - -http { - include mime.types; - default_type application/octet-stream; - index index.html; - - aio threads; - aio_write on; - sendfile on; - directio 4m; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens off; - client_max_body_size 5m; - charset utf-8; - gzip on; - gzip_http_version 1.0; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml; - - proxy_buffers 64 32k; - proxy_busy_buffers_size 64k; - fastcgi_buffers 64 32k; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - map \$http_upgrade \$connection_upgrade { - default upgrade; - '' keep-alive; - } - - server { - listen 0.0.0.0:80 default_server; - listen [::]:80 default_server; - - include acme.conf; - - location / { - return 301 https://\$host\$request_uri; - } - } - - include vhost*.conf; -} diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index b0a9a06..9ab993c 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -1,5 +1,6 @@ worker_processes ${nginx_worker_processes}; worker_rlimit_nofile ${nginx_nofile}; +$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";') events { worker_connections ${nginx_worker_connections}; @@ -40,5 +41,28 @@ http { '' keep-alive; } - include vhosts.conf; +$([ "${nginx_gssapi:-}" = true ] && cat <=TLSv1.2 smtpd_tls_mandatory_ciphers = medium -smtpd_tls_dh1024_param_file = ${postfix_dhparams} smtpd_tls_loglevel = 1 smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_helo_required = yes -smtp_tls_CApath = ${system_ca_dir} +smtp_tls_CApath = ${system_cacert_path} smtp_tls_security_level = may smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache smtp_tls_loglevel = 1 -lmtp_tls_CApath = ${system_ca_dir} +lmtp_tls_CApath = ${system_cacert_path} lmtp_tls_security_level = encrypt lmtp_tls_wrappermode = yes lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index b0ae948..6dbbafc 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -10,8 +10,9 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT # Per-port options databases_akonadi_SET=MYSQL databases_luadbi_SET=PGSQL -databases_postgresql15-client_SET=PAM -databases_postgresql15-server_SET=PAM +databases_postgresql${postgresql_version}-client_SET=PAM +databases_postgresql${postgresql_version}-server_SET=PAM +devel_apr1_SET=LDAP devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC devel_librelp_UNSET=GNUTLS @@ -73,6 +74,7 @@ sysutils_htop_SET=LSOF sysutils_k3b_UNSET=EMOVIX VCDIMAGER sysutils_rsyslog8_SET=GSSAPI RELP OPENSSL sysutils_rsyslog8_UNSET=GCRYPT +www_apache${apache_version}_SET=AUTHNZ_LDAP LDAP SUEXEC SUEXEC_SYSLOG www_chromium_SET=WIDEVINE www_firefox_UNSET=PROFILE JACK www_nginx_SET=HTTPV3 HTTPV3_QTLS HTTP_AUTH_KRB5 HTTP_AUTH_LDAP diff --git a/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository new file mode 100644 index 0000000..0cf4e61 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/patches/postgresql16-gssapi.patch.pkg_repository @@ -0,0 +1,73 @@ +--- databases/postgresql16-server/Makefile 2024-10-03 10:26:11.600924000 -0400 ++++ databases/postgresql16-server/Makefile 2024-10-03 10:46:16.602335000 -0400 +@@ -119,12 +119,15 @@ + + .if !defined(SLAVE_ONLY) + OPTIONS_DEFINE+= NLS PAM GSSAPI OPTIMIZED_CFLAGS DEBUG DOCS +-KRB5_DESC= Build with kerberos provider support ++OPTIONS_SINGLE+= GSSAPI ++OPTIONS_SINGLE_GSSAPI= GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT ++OPTIONS_DEFAULT+= GSSAPI_NONE ++GSSAPI_NONE_DESC= Build without GSSAPI support ++GSSAPI_BASE_DESC= Use GSSAPI from base ++GSSAPI_HEIMDAL_DESC= Use Heimdal GSSAPI from security/heimdal ++GSSAPI_MIT_DESC= Use MIT GSSAPI from security/krb5 + NLS_DESC= Use internationalized messages + PAM_DESC= Build with PAM Support +-MIT_KRB5_DESC= Build with MIT kerberos support +-HEIMDAL_KRB5_DESC= Builds with Heimdal kerberos +-GSSAPI_DESC= Build with GSSAPI support + OPTIMIZED_CFLAGS_DESC= Builds with compiler optimizations (-O3) + + OPTIONS_DEFINE+= SSL +@@ -132,7 +135,12 @@ + + OPTIONS_DEFAULT+= SSL + +-GSSAPI_CONFIGURE_WITH= gssapi ++GSSAPI_BASE_USES= gssapi:base ++GSSAPI_MIT_USES= gssapi:mit ++GSSAPI_HEIMDAL_USES= gssapi:heimdal,flags ++GSSAPI_BASE_CONFIGURE_ON= --with-gssapi ++GSSAPI_MIT_CONFIGURE_ON= --with-gssapi ++GSSAPI_HEIMDAL_CONFIGURE_ON= --with-gssapi + .endif # !SLAVE_ONLY + + SSL_USES= ssl +@@ -175,36 +183,7 @@ + .endif + + .if !defined(SLAVE_ONLY) +- + PATCH_DIST_STRIP=-p1 +- +-.if ${PORT_OPTIONS:MGSSAPI} +-.if empty(PORT_OPTIONS:MMIT_KRB5) && empty(PORT_OPTIONS:MHEIMDAL_KRB5) +-# Kerberos libraries will pull the proper GSSAPI library +-# via linker dependencies, but otherwise we must specify +-# it explicitely: ld --as-needed is used for compilation, +-# so configure's -lgssapi_krb5 won't go. +-LDFLAGS+= -lgssapi +-LDFLAGS_SL+= -lgssapi +-.endif +-.endif +- +-. if ${PORT_OPTIONS:MMIT_KRB5} +-. if defined(IGNORE_WITH_SRC_KRB5) && (exists(/usr/lib/libkrb5.so) || exists(/usr/bin/krb5-config)) +-IGNORE= requires that you remove heimdal\'s /usr/bin/krb5-config and /usr/lib/libkrb5.so*, and set NO_KERBEROS=true in /etc/src.conf to build successfully with MIT-KRB +-. else +-CONFIGURE_ARGS+=--with-krb5 +-# Allow defining a home built MIT Kerberos by setting KRB5_HOME +-. if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) && exists(${KRB5_HOME}/bin/krb5-config) +-LIB_DEPENDS+= libkrb5.so.3:security/krb5 +-. endif +-. endif +-. endif +- +-. if ${PORT_OPTIONS:MHEIMDAL_KRB5} +-CONFIGURE_ARGS+=--with-krb5 +-. endif +- + .endif # !SLAVE_ONLY + + # For testing files in FILESDIR diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index 4a54ec5..5e95f8c 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -1,13 +1,21 @@ +converters/php${php_version}-iconv +databases/php${php_version}-pdo_pgsql +databases/php${php_version}-pgsql +databases/postgresql${postgresql_version}-client +databases/postgresql${postgresql_version}-server databases/redis devel/ccache devel/git@lite +devel/php${php_version}-gettext dns/bind-tools dns/nsd dns/powerdns dns/unbound editors/vim@console editors/vim@tiny +ftp/php${php_version}-curl lang/python +lang/php${php_version} mail/dovecot mail/dovecot-pigeonhole mail/isync @@ -15,10 +23,12 @@ mail/mutt mail/postfix mail/rspamd mail/sieve-connect +misc/php${php_version}-calendar net/nss-pam-ldapd-sasl net/openldap26-client net/openldap26-server net/p5-perl-ldap +net/php${php_version}-ldap net/py-python-ldap net/rsync ports-mgmt/poudriere @@ -39,4 +49,10 @@ sysutils/pwgen sysutils/stow sysutils/tmux sysutils/tree +textproc/php${php_version}-xml +www/apache${apache_version} +www/mod_auth_gssapi +www/mod_php${php_version} www/nginx +www/php${php_version}-opcache +www/php${php_version}-session -- cgit v1.2.3