From 145668c3dd67c5271eddcb62d1e7843487d768a7 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 15 Oct 2024 23:35:53 -0400 Subject: huge amount of fixes --- .../local/etc/nginx/vhosts.conf.invidious_server | 22 ++++++ .../usr/local/etc/nginx/vhosts.conf.pkg_repository | 7 +- files/usr/local/etc/openldap/ldap.conf.common | 1 + files/usr/local/etc/openldap/ldap.conf.idm_server | 1 + .../etc/polkit-1/rules.d/51-desktop.rules.desktop | 8 +++ .../local/etc/poudriere.d/make.conf.pkg_repository | 4 +- .../patches/chromium-gssapi.patch.pkg_repository | 54 +++++++++++++++ .../local/etc/poudriere.d/pkglist.pkg_repository | 57 +++++++++++++-- .../etc/raddb/mods-available/eap.radius_server | 42 ++++++++++++ .../usr/local/etc/raddb/radiusd.conf.radius_server | 80 ++++++++++++++++++++++ .../usr/local/etc/rc.d/invidious.invidious_server | 41 +++++++++++ files/usr/local/etc/sddm.conf.common | 9 +++ files/usr/local/etc/ssh/sshd_config.freebsd | 2 + .../config/config.yml.invidious_server | 35 ++++++++++ files/usr/local/libexec/idm-autofs-map.common | 44 ++++++++++++ .../libexec/invidious-update.invidious_server | 48 +++++++++++++ .../local/libexec/pam-create-local-homedir.common | 10 +++ .../applications/signal-desktop.desktop.common | 12 ++++ .../local/www/davical/config/config.php.dav_server | 8 ++- 19 files changed, 475 insertions(+), 10 deletions(-) create mode 100644 files/usr/local/etc/nginx/vhosts.conf.invidious_server create mode 100644 files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop create mode 100644 files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository create mode 100644 files/usr/local/etc/raddb/mods-available/eap.radius_server create mode 100644 files/usr/local/etc/raddb/radiusd.conf.radius_server create mode 100644 files/usr/local/etc/rc.d/invidious.invidious_server create mode 100644 files/usr/local/etc/sddm.conf.common create mode 100644 files/usr/local/invidious/invidious.git/config/config.yml.invidious_server create mode 100644 files/usr/local/libexec/idm-autofs-map.common create mode 100644 files/usr/local/libexec/invidious-update.invidious_server create mode 100644 files/usr/local/libexec/pam-create-local-homedir.common create mode 100644 files/usr/local/override/applications/signal-desktop.desktop.common (limited to 'files/usr') diff --git a/files/usr/local/etc/nginx/vhosts.conf.invidious_server b/files/usr/local/etc/nginx/vhosts.conf.invidious_server new file mode 100644 index 0000000..35947dc --- /dev/null +++ b/files/usr/local/etc/nginx/vhosts.conf.invidious_server @@ -0,0 +1,22 @@ +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + + ssl_certificate ${invidious_https_cert}; + ssl_certificate_key ${invidious_https_key}; + + add_header Strict-Transport-Security "max-age=63072000" always; + + location / { + proxy_http_version 1.1; + proxy_set_header Connection ""; + + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + proxy_pass http://127.0.0.1:${invidious_port}; + } +} diff --git a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository index 8177626..73c5754 100644 --- a/files/usr/local/etc/nginx/vhosts.conf.pkg_repository +++ b/files/usr/local/etc/nginx/vhosts.conf.pkg_repository @@ -1,9 +1,14 @@ server { listen 0.0.0.0:80 default_server; - listen [::]:80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; server_name ${fqdn}; root ${poudriere_data_dir}/data/packages; + ssl_certificate ${poudriere_https_cert}; + ssl_certificate_key ${poudriere_https_key}; + include mime.types; types { text/plain log; diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common index 22b20bb..af1781e 100644 --- a/files/usr/local/etc/openldap/ldap.conf.common +++ b/files/usr/local/etc/openldap/ldap.conf.common @@ -12,3 +12,4 @@ USERS_BASE ${users_basedn} GROUPS_BASE ${groups_basedn} HOSTS_BASE ${hosts_basedn} ROLES_BASE ${roles_basedn} +AUTOMOUNT_BASE ${automount_basedn} diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server index 4c7a929..aa6f8c9 100644 --- a/files/usr/local/etc/openldap/ldap.conf.idm_server +++ b/files/usr/local/etc/openldap/ldap.conf.idm_server @@ -12,3 +12,4 @@ USERS_BASE ${users_basedn} GROUPS_BASE ${groups_basedn} HOSTS_BASE ${hosts_basedn} ROLES_BASE ${roles_basedn} +AUTOMOUNT_BASE ${automount_basedn} diff --git a/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop new file mode 100644 index 0000000..d57c4b9 --- /dev/null +++ b/files/usr/local/etc/polkit-1/rules.d/51-desktop.rules.desktop @@ -0,0 +1,8 @@ +polkit.addRule(function (action, subject) { + if ((action.id == "org.freedesktop.consolekit.system.restart" || + action.id == "org.freedesktop.consolekit.system.stop" || + action.id == "org.freedesktop.consolekit.system.suspend") + && subject.isInGroup("${desktop_access_role}")) { + return polkit.Result.YES; + } +}); diff --git a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository index 6ef6f4a..7c69474 100644 --- a/files/usr/local/etc/poudriere.d/make.conf.pkg_repository +++ b/files/usr/local/etc/poudriere.d/make.conf.pkg_repository @@ -10,8 +10,8 @@ OPTIONS_SET=GSSAPI GSSAPI_MIT MIT NONFREE LIBEDIT # Per-port options databases_akonadi_SET=MYSQL databases_luadbi_SET=PGSQL -databases_postgresql${postgresql_version}-client_SET=PAM -databases_postgresql${postgresql_version}-server_SET=PAM +databases_postgresql${postgresql_version}-client_SET=PAM LDAP +databases_postgresql${postgresql_version}-server_SET=PAM LDAP devel_apr1_SET=LDAP devel_gitolite_SET=GITUSER devel_kio-extras_UNSET=AFC diff --git a/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository new file mode 100644 index 0000000..7cb0372 --- /dev/null +++ b/files/usr/local/etc/poudriere.d/patches/chromium-gssapi.patch.pkg_repository @@ -0,0 +1,54 @@ +--- www/chromium/Makefile 2024-10-14 22:31:01.044557000 -0400 ++++ www/chromium/Makefile 2024-10-14 22:37:11.304192000 -0400 +@@ -144,19 +144,20 @@ + SUB_FILES= chromium-browser.desktop chrome + SUB_LIST+= COMMENT="${COMMENT}" + +-OPTIONS_DEFINE= CODECS CUPS DEBUG DRIVER KERBEROS LTO PIPEWIRE TEST WIDEVINE +-OPTIONS_DEFAULT= CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO ++OPTIONS_DEFINE= CODECS CUPS DEBUG DRIVER LTO PIPEWIRE TEST WIDEVINE ++OPTIONS_DEFAULT= CODECS CUPS DRIVER KERBEROS PIPEWIRE SNDIO ALSA PULSEAUDIO GSSAPI_MIT + OPTIONS_EXCLUDE_aarch64=LTO + OPTIONS_GROUP= AUDIO + OPTIONS_GROUP_AUDIO= ALSA PULSEAUDIO SNDIO +-OPTIONS_RADIO= KERBEROS +-OPTIONS_RADIO_KERBEROS= HEIMDAL HEIMDAL_BASE MIT ++OPTIONS_SINGLE= KERBEROS ++OPTIONS_SINGLE_KERBEROS=GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT + OPTIONS_SUB= yes + CODECS_DESC= Compile and enable patented codecs like H.264 + DRIVER_DESC= Install chromedriver +-HEIMDAL_BASE_DESC= Heimdal Kerberos (base) +-HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) +-MIT_DESC= MIT Kerberos (security/krb5) ++GSSAPI_NONE_DESC= Build without GSSAPI support ++GSSAPI_BASE_DESC= Use GSSAPI from base ++GSSAPI_HEIMDAL_DESC= Use Heimdal GSSAPI from security/heimdal ++GSSAPI_MIT_DESC= Use MIT GSSAPI from security/krb5 + + ALSA_LIB_DEPENDS= libasound.so:audio/alsa-lib + ALSA_RUN_DEPENDS= ${LOCALBASE}/lib/alsa-lib/libasound_module_pcm_oss.so:audio/alsa-plugins \ +@@ -189,16 +190,19 @@ + + DRIVER_MAKE_ARGS= chromedriver + +-HEIMDAL_LIB_DEPENDS= libkrb.so.26:security/heimdal +-KERBEROS_VARS= GN_ARGS+=use_kerberos=true +-KERBEROS_VARS_OFF= GN_ARGS+=use_kerberos=false ++GSSAPI_BASE_USES= gssapi ++GSSAPI_HEIMDAL_USES= gssapi:heimdal ++GSSAPI_MIT_USES= gssapi:mit ++GSSAPI_BASE_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_MIT_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_HEIMDAL_VARS= GN_ARGS+=use_kerberos=true ++GSSAPI_NONE_VARS= GN_ARGS+=use_kerberos=false + + LTO_VARS= GN_ARGS+=use_thin_lto=true \ + GN_ARGS+=thin_lto_enable_optimizations=true \ + WANTSPACE="14 GB" + LTO_VARS_OFF= GN_ARGS+=use_thin_lto=false + +-MIT_LIB_DEPENDS= libkrb.so.3:security/krb5 + + PIPEWIRE_DESC= Screen capture via PipeWire + PIPEWIRE_LIB_DEPENDS= libpipewire-0.3.so:multimedia/pipewire diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository index ec63f48..35b8f9a 100644 --- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository +++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository @@ -1,5 +1,11 @@ +archivers/7-zip archivers/php${php_version}-phar archivers/php${php_version}-zip +archivers/unzip +archivers/zip +audio/juk +audio/kid3 +audio/kmix converters/php${php_version}-iconv converters/php${php_version}-mbstring databases/luadbi @@ -11,25 +17,38 @@ databases/postgresql${postgresql_version}-client databases/postgresql${postgresql_version}-server databases/redis devel/ccache +devel/cgit devel/git@lite +devel/gitolite devel/php${php_version}-gettext devel/php${php_version}-intl devel/php${php_version}-pcntl devel/php${php_version}-tokenizer +devel/py-pip +devel/shards dns/bind-tools dns/nsd dns/powerdns dns/unbound +editors/libreoffice editors/vim@console editors/vim@tiny +finance/gnucash +finance/kmymoney ftp/php${php_version}-curl +graphics/ImageMagick7@nox11 +graphics/drm-kmod +graphics/p5-Image-ExifTool graphics/php${php_version}-exif graphics/php${php_version}-gd +irc/konversation irc/znc irc/znc-clientbuffer +java/eclipse java/openjdk21 -lang/python +lang/crystal lang/php${php_version} +lang/python mail/dovecot mail/dovecot-pigeonhole mail/isync @@ -38,27 +57,37 @@ mail/postfix mail/rspamd mail/sieve-connect misc/php${php_version}-calendar +multimedia/audacious +multimedia/libva-intel-media-driver +multimedia/makemkv +net-im/dino +net-im/gajim +net-im/prosody +net-im/prosody-modules +net-im/signal-desktop +net-mgmt/unifi8 net/asterisk18 +net/freeradius3 net/lualdap net/nss-pam-ldapd-sasl net/openldap26-client net/openldap26-server net/p5-perl-ldap net/php${php_version}-ldap +net/php${php_version}-sockets net/py-python-ldap net/rsync -net/php${php_version}-sockets net/turnserver -net-im/prosody -net-im/prosody-modules +net/wireguard-tools ports-mgmt/poudriere print/cups print/cups-filters security/acme.sh +security/bitwarden-cli security/cyrus-sasl2-saslauthd -security/kstart security/krb5@default security/krb5@ldap +security/kstart security/openssh-portable security/pam_krb5@mit security/pam_mkhomedir @@ -67,20 +96,38 @@ security/sshpass security/sudo security/vaultwarden sysutils/htop +sysutils/k3b sysutils/lsof sysutils/p5-Sys-Syslog +sysutils/password-store sysutils/php${php_version}-fileinfo sysutils/php${php_version}-posix sysutils/pwgen sysutils/stow sysutils/tmux sysutils/tree +textproc/hs-pandoc +textproc/jq textproc/p5-YAML textproc/php${php_version}-ctype textproc/php${php_version}-dom textproc/php${php_version}-simplexml textproc/php${php_version}-xml textproc/php${php_version}-xmlwriter +textproc/py-docutils +textproc/py-markdown +textproc/py-pygments +www/chromium +www/fcgiwrap +www/firefox +www/linux-widevine-cdm www/nginx www/php${php_version}-opcache www/php${php_version}-session +www/w3m +x11-fonts/terminus-font +x11-fonts/terminus-ttf +x11/kde5 +x11/sddm +x11/xev +x11/xorg diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server new file mode 100644 index 0000000..5c1aafd --- /dev/null +++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server @@ -0,0 +1,42 @@ +eap { + default_eap_type = tls + timer_expire = 60 + ignore_unknown_eap_types = yes + cisco_accounting_username_bug = no + max_sessions = \${max_requests} + + tls-config tls-common { + private_key_password = + private_key_file = ${freeradius_tls_key} + certificate_file = ${freeradius_tls_cert} + ca_file = ${site_cacert_path} + ca_path = \${cadir} + auto_chain = no + check_crl = no + cipher_list = "DEFAULT" + cipher_server_preference = no + tls_min_version = "1.2" + tls_max_version = "1.3" + ecdh_curve = "" + + cache { + enable = yes + lifetime = 24 # hours + name = "EAP module" + persist_dir = "${freeradius_tlscache_dir}" + store { + Tunnel-Private-Group-Id + } + } + + verify { } + + ocsp { + enable = no + } + } + + tls { + tls = tls-common + } +} diff --git a/files/usr/local/etc/raddb/radiusd.conf.radius_server b/files/usr/local/etc/raddb/radiusd.conf.radius_server new file mode 100644 index 0000000..cc5a7a3 --- /dev/null +++ b/files/usr/local/etc/raddb/radiusd.conf.radius_server @@ -0,0 +1,80 @@ +prefix = /usr/local +exec_prefix = \${prefix} +sysconfdir = \${prefix}/etc +localstatedir = /var +sbindir = \${exec_prefix}/sbin +logdir = /var/log +raddbdir = \${sysconfdir}/raddb +radacctdir = \${logdir}/radacct + +name = radiusd + +confdir = \${raddbdir} +modconfdir = \${confdir}/mods-config +certdir = \${confdir}/certs +cadir = \${confdir}/certs +run_dir = \${localstatedir}/run/\${name} + +db_dir = \${raddbdir} + +libdir = /usr/local/lib/freeradius-${freeradius_version} + +pidfile = \${run_dir}/\${name}.pid + +max_request_time = 30 + +cleanup_delay = 5 + +max_requests = 16384 + +hostname_lookups = no + +log { + destination = syslog + colourise = no + file = \${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = no + auth_goodpass = no + msg_denied = "You are already logged in - access denied" +} + +checkrad = \${sbindir}/checkrad + +ENV { } + +security { + allow_core_dumps = no + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +proxy_requests = yes +\$INCLUDE proxy.conf + +\$INCLUDE clients.conf + + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +modules { + \$INCLUDE mods-enabled/ +} + +instantiate { } + +policy { + \$INCLUDE policy.d/ +} + +\$INCLUDE sites-enabled/ diff --git a/files/usr/local/etc/rc.d/invidious.invidious_server b/files/usr/local/etc/rc.d/invidious.invidious_server new file mode 100644 index 0000000..44acbad --- /dev/null +++ b/files/usr/local/etc/rc.d/invidious.invidious_server @@ -0,0 +1,41 @@ +#!/bin/sh + +# PROVIDE: invidious +# REQUIRE: NETWORKING +# KEYWORD: shutdown + +. /etc/rc.subr + +name=invidious +rcvar=invidious_enable + +load_rc_config "$name" + +: ${invidious_enable:='NO'} +: ${invidious_dir:='/usr/local/invidious/invidious.git'} +: ${invidious_user='www'} +: ${invidious_syslog_priority:='info'} +: ${invidious_syslog_facility:='daemon'} + +invidious_syslog_tag=invidious + +invidious_chdir=$invidious_dir +pidfile=/var/run/invidious/invidious.pid +command=/usr/sbin/daemon + +command_args="-f \ +-s ${invidious_syslog_priority} \ +-l ${invidious_syslog_facility} \ +-T ${invidious_syslog_tag} \ +-p ${pidfile} \ +-t invidious \ +${invidious_dir}/invidious" + +procname="${invidious_dir}/invidious" +start_precmd=invidious_prestart + +invidious_prestart(){ + install -d -m 0755 -o ${invidious_user} /var/run/invidious +} + +run_rc_command "$1" diff --git a/files/usr/local/etc/sddm.conf.common b/files/usr/local/etc/sddm.conf.common new file mode 100644 index 0000000..09c2000 --- /dev/null +++ b/files/usr/local/etc/sddm.conf.common @@ -0,0 +1,9 @@ +[General] +DisplayServer = x11 + +[Wayland] +SessionDir = /dev/null + +[Users] +MinimumUid = ${sddm_min_uid} +MaximumUid = ${sddm_max_uid} diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd index eca2276..0e0d730 100644 --- a/files/usr/local/etc/ssh/sshd_config.freebsd +++ b/files/usr/local/etc/ssh/sshd_config.freebsd @@ -13,4 +13,6 @@ GSSAPICleanupCredentials yes UsePAM yes UseDNS no +# TODO: require group to login? + Subsystem sftp /usr/local/libexec/sftp-server diff --git a/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server b/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server new file mode 100644 index 0000000..fb7fe54 --- /dev/null +++ b/files/usr/local/invidious/invidious.git/config/config.yml.invidious_server @@ -0,0 +1,35 @@ +log_level: info +domain: ${invidious_fqdn} +external_port: 443 +channel_threads: 1 +feed_threads: 1 +database_url: postgres://${invidious_username}:${invidious_password}@${invidious_dbhost}/${invidious_dbname}?sslmode=verify-full&auth_methods=cleartext +use_pubsub_feeds: false +hmac_key: ${invidious_hmac_key} +https_only: true +registration_enabled: true +port: ${invidious_port} +host_binding: 127.0.0.1 +popular_enabled: false +captcha_enabled: false +check_tables: true +cache_annotations: true +po_token: ${invidious_po_token} +visitor_data: ${invidious_visitor_data} +signature_server: ${invidious_signature_sock} + +default_user_preferences: + dark_mode: auto + autoplay: false + continue: true + continue_autoplay: false + local: true + quality: dash + quality_dash: 1080p + locale: en-US + region: US + related_videos: true + video_loop: false + player_style: invidious + default_home: Subscriptions + feed_menu: [Subscriptions, Playlists] diff --git a/files/usr/local/libexec/idm-autofs-map.common b/files/usr/local/libexec/idm-autofs-map.common new file mode 100644 index 0000000..296bf91 --- /dev/null +++ b/files/usr/local/libexec/idm-autofs-map.common @@ -0,0 +1,44 @@ +#!/usr/local/bin/perl + +use strict; +use warnings; + +use Net::LDAP; +use Net::LDAP::Util qw(escape_dn_value); +use Authen::SASL; + +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!); +my %config; +while (<$fh>) { + chomp; + next if /^#/; + my @pair = split(' ', $_, 2); + next unless (@pair == 2); + $config{$pair[0]} = $pair[1]; +} +close($fh); + +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $basedn = $config{AUTOMOUNT_BASE} // die("AUTOMOUNT_BASE not specified\n"); + +@ARGV == 1 or die "usage: $0 MAPNAME\n"; +my $mapname = $ARGV[0]; + +my $conn = Net::LDAP->new($uri, version => '3') or die "$0: $@"; +my $sasl = Authen::SASL->new($mech); +my $status = $conn->bind(sasl => $sasl); +$status->code and die "$0: ".$status->error."\n"; + +my $search = $conn->search( + scope => 'one', + base => 'automountMapName='.escape_dn_value($mapname).",$basedn", + filter => '(objectClass=automount)', + attrs => ['automountKey', 'automountInformation']); +$search->code and die "$0: $mapname: ".$search->error."\n"; + +foreach my $entry ($search->entries) { + my $key = ($entry->get_value('automountKey'))[0]; + my $info = ($entry->get_value('automountInformation'))[0]; + print "$key $info\n"; +} diff --git a/files/usr/local/libexec/invidious-update.invidious_server b/files/usr/local/libexec/invidious-update.invidious_server new file mode 100644 index 0000000..b89b4bf --- /dev/null +++ b/files/usr/local/libexec/invidious-update.invidious_server @@ -0,0 +1,48 @@ +#!/bin/sh + +set -eu -o pipefail + +prog=$(basename "$(readlink -f "$0")") +usage="${prog} [-q] INVIDIOUS_USER INVIDIOUS_SRCDIR" + +die() { + printf '%s: %s\n' "$prog" "$*" 1>&2 + exit 1 +} + +usage(){ + printf 'usage: %s\n' "$usage" 1>&2 + exit 2 +} + +as_invidious(){ + su -m "$invidious_user" -c "HOME=$(dirname "$invidious_dir") ${@}" +} + +while getopts hq opt; do + case $opt in + h) usage ;; + q) exec 1>/dev/null ;; + esac +done +shift $((OPTIND - 1)) + +[ $# -eq 2 ] || usage + +invidious_user=$1 +invidious_dir=$2 + +cd "$invidious_dir" + +su -m "$invidious_user" -c 'git fetch' +local_rev=$(as_invidious 'git rev-parse HEAD') +upstream_rev=$(as_invidious 'git rev-parse "@{u}"') + +if [ "$local_rev" != "$upstream_rev" ]; then + echo "updating invidious to rev ${upstream_rev}" + as_invidious 'git pull --ff-only && shards install --production && crystal build src/invidious.cr --release' +else + echo "invidious already up to date at rev ${local_rev}" +fi + +service invidious restart diff --git a/files/usr/local/libexec/pam-create-local-homedir.common b/files/usr/local/libexec/pam-create-local-homedir.common new file mode 100644 index 0000000..a956d65 --- /dev/null +++ b/files/usr/local/libexec/pam-create-local-homedir.common @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +uid=$(id -u "$PAM_USER") + +if [ "$uid" -ge 1000 ]; then + install -m 0755 -d /usr/local/home + install -o "$uid" -g "$uid" -m 0700 -d "/usr/local/home/${PAM_USER}" +fi diff --git a/files/usr/local/override/applications/signal-desktop.desktop.common b/files/usr/local/override/applications/signal-desktop.desktop.common new file mode 100644 index 0000000..d0c9160 --- /dev/null +++ b/files/usr/local/override/applications/signal-desktop.desktop.common @@ -0,0 +1,12 @@ +[Desktop Entry] +Type=Application +Name=Signal +Comment=Signal - Private Messenger +Icon=signal-desktop +Exec=signal-desktop --use-tray-icon -- %u +Terminal=false +Categories=Network;InstantMessaging; +StartupWMClass=Signal +MimeType=x-scheme-handler/sgnl; +Keywords=sgnl;chat;im;messaging;messenger;sms;security;privat; +X-GNOME-UsesNotifications=true diff --git a/files/usr/local/www/davical/config/config.php.dav_server b/files/usr/local/www/davical/config/config.php.dav_server index ec2cb26..3d1174d 100644 --- a/files/usr/local/www/davical/config/config.php.dav_server +++ b/files/usr/local/www/davical/config/config.php.dav_server @@ -20,8 +20,12 @@ 'port' => '389', 'sasl' => 'yes', 'sasl_mech' => 'GSSAPI', - 'baseDNUsers' => '${users_basedn}', + 'baseDNUsers' => '${people_basedn}', 'baseDNGroups' => '${groups_basedn}', + /* Must use scope=onelevel here because if davical picks up a user and group + * with the same name, then the group takes precedence and the user is lost. + * Sad for us because we store user private groups in LDAP. + */ 'scope' => 'onelevel', 'protocolVersion' => 3, 'optReferrals' => 0, @@ -44,6 +48,6 @@ 'H' => array(8,2), 'M' => array(10,2), 'S' => array(12,2)), - 'i_use_mode_kerberos' => 'i_know_what_i_am_doing', + 'i_use_mode_kerberos' => 'allow_fallback_to_ldap_auth', ); include_once('drivers_ldap.php'); -- cgit v1.2.3