From 99b8524c16cc99ceeaf1ebf588f2fc0f2c0fbe0a Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Sat, 12 Oct 2024 08:14:59 -0400 Subject: add a bunch of hostclasses --- .../etc/asterisk/extensions.conf.asterisk_server | 5 + .../local/etc/asterisk/logger.conf.asterisk_server | 3 + .../local/etc/asterisk/pjsip.conf.asterisk_server | 26 +++ .../etc/asterisk/pjsip_wizard.conf.asterisk_server | 65 ++++++++ .../local/etc/asterisk/queues.conf.asterisk_server | 31 ++++ .../local/etc/asterisk/rtp.conf.asterisk_server | 3 + .../etc/asterisk/voicemail.conf.asterisk_server | 31 ++++ .../local/etc/dovecot/rspamd.conf.sh.imap_server | 5 + files/usr/local/etc/nginx/fastcgi_params.common | 31 ++++ files/usr/local/etc/nginx/nginx.conf.common | 37 ++++- .../local/etc/nginx/vhosts.conf.bitwarden_server | 36 +++++ files/usr/local/etc/nginx/vhosts.conf.dav_server | 55 +++++++ files/usr/local/etc/nginx/vhosts.conf.smtp_server | 4 +- files/usr/local/etc/nginx/vhosts.conf.ttrss_server | 43 +++++ files/usr/local/etc/nginx/vhosts.conf.xmpp_server | 21 +++ files/usr/local/etc/nginx/vhosts.conf.znc_server | 21 +++ .../etc/nsd/nsd.conf.authoritative_nameserver | 22 +++ files/usr/local/etc/nslcd.conf.common | 2 + files/usr/local/etc/openldap/ldap.conf.common | 1 + files/usr/local/etc/openldap/ldap.conf.idm_server | 1 + files/usr/local/etc/php-fpm.conf.common | 4 + .../local/etc/php-fpm.d/davical.conf.dav_server | 20 +++ .../local/etc/php-fpm.d/ttrss.conf.ttrss_server | 23 +++ files/usr/local/etc/php.ini.common | 138 ++++++++++++++++ .../local/etc/poudriere.d/pkglist.pkg_repository | 28 ++++ .../local/etc/prosody/prosody.cfg.lua.xmpp_server | 106 ++++++++++++ .../etc/rc.conf.d/vaultwarden.bitwarden_server | 19 +++ files/usr/local/etc/rc.d/ttrssd.ttrss_server | 47 ++++++ .../etc/ssh/sshd_config.d/acmeproxy.conf.common | 11 ++ files/usr/local/etc/ssh/sshd_config.freebsd | 2 +- files/usr/local/etc/sudoers.d/acme.asterisk_server | 1 + .../usr/local/etc/sudoers.d/acme.public_webserver | 1 + files/usr/local/etc/sudoers.d/acme.smtp_server | 2 +- files/usr/local/etc/sudoers.d/acme.xmpp_server | 1 + files/usr/local/etc/turnserver.conf.turn_server | 61 +++++++ .../usr/local/etc/znc/configs/znc.conf.znc_server | 55 +++++++ .../etc/znc/moddata/cyrusauth/.registry.znc_server | 2 + files/usr/local/lib/sasl2/znc.conf.znc_server | 3 + .../dovecot/sieve-pipe/report-ham.sh.imap_server | 12 +- .../dovecot/sieve-pipe/report-spam.sh.imap_server | 12 +- .../local/libexec/idm-ssh-authorized-keys.common | 8 +- files/usr/local/libexec/idm-ssh-known-hosts.common | 4 +- .../local/libexec/prosody-acme-proxy.xmpp_server | 54 +++++++ .../libexec/prosody-update-roster.xmpp_server | 47 ++++++ .../davical/config/administration.yml.dav_server | 4 + .../local/www/davical/config/config.php.dav_server | 49 ++++++ files/usr/local/www/tt-rss/config.php.ttrss_server | 28 ++++ .../plugins.local/auth_idm/init.php.ttrss_server | 177 +++++++++++++++++++++ 48 files changed, 1339 insertions(+), 23 deletions(-) create mode 100644 files/usr/local/etc/asterisk/extensions.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/logger.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/pjsip.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/queues.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/rtp.conf.asterisk_server create mode 100644 files/usr/local/etc/asterisk/voicemail.conf.asterisk_server create mode 100644 files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server create mode 100644 files/usr/local/etc/nginx/fastcgi_params.common create mode 100644 files/usr/local/etc/nginx/vhosts.conf.bitwarden_server create mode 100644 files/usr/local/etc/nginx/vhosts.conf.dav_server create mode 100644 files/usr/local/etc/nginx/vhosts.conf.ttrss_server create mode 100644 files/usr/local/etc/nginx/vhosts.conf.xmpp_server create mode 100644 files/usr/local/etc/nginx/vhosts.conf.znc_server create mode 100644 files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver create mode 100644 files/usr/local/etc/php-fpm.conf.common create mode 100644 files/usr/local/etc/php-fpm.d/davical.conf.dav_server create mode 100644 files/usr/local/etc/php-fpm.d/ttrss.conf.ttrss_server create mode 100644 files/usr/local/etc/php.ini.common create mode 100644 files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server create mode 100644 files/usr/local/etc/rc.conf.d/vaultwarden.bitwarden_server create mode 100644 files/usr/local/etc/rc.d/ttrssd.ttrss_server create mode 100644 files/usr/local/etc/ssh/sshd_config.d/acmeproxy.conf.common create mode 100644 files/usr/local/etc/sudoers.d/acme.asterisk_server create mode 100644 files/usr/local/etc/sudoers.d/acme.public_webserver create mode 100644 files/usr/local/etc/sudoers.d/acme.xmpp_server create mode 100644 files/usr/local/etc/turnserver.conf.turn_server create mode 100644 files/usr/local/etc/znc/configs/znc.conf.znc_server create mode 100644 files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server create mode 100644 files/usr/local/lib/sasl2/znc.conf.znc_server create mode 100644 files/usr/local/libexec/prosody-acme-proxy.xmpp_server create mode 100644 files/usr/local/libexec/prosody-update-roster.xmpp_server create mode 100644 files/usr/local/www/davical/config/administration.yml.dav_server create mode 100644 files/usr/local/www/davical/config/config.php.dav_server create mode 100644 files/usr/local/www/tt-rss/config.php.ttrss_server create mode 100644 files/usr/local/www/tt-rss/plugins.local/auth_idm/init.php.ttrss_server (limited to 'files/usr') diff --git a/files/usr/local/etc/asterisk/extensions.conf.asterisk_server b/files/usr/local/etc/asterisk/extensions.conf.asterisk_server new file mode 100644 index 0000000..301fe66 --- /dev/null +++ b/files/usr/local/etc/asterisk/extensions.conf.asterisk_server @@ -0,0 +1,5 @@ +[public] +exten => _X.,1,Hangup(3) + +[default] +exten => _X.,1,Hangup(3) diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server new file mode 100644 index 0000000..3bf2a53 --- /dev/null +++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server @@ -0,0 +1,3 @@ +[logfiles] +console => notice,warning,error +syslog.daemon => notice,warning,error,security,verbose1 diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server new file mode 100644 index 0000000..0f83a81 --- /dev/null +++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server @@ -0,0 +1,26 @@ +[transport-defaults](!) +type = transport +bind = 0.0.0.0 +local_net = 127.0.0.0/8 +local_net = 10.0.0.0/8 +local_net = 172.16.0.0/12 +local_net = 192.168.0.0/16 +external_media_address = ${asterisk_public_ip} +external_signaling_address = ${asterisk_public_ip} + +[transport-udp](transport-defaults) +protocol = udp + +[transport-tcp](transport-defaults) +protocol = tcp + +[transport-tls](transport-defaults) +protocol = tls +bind = 0.0.0.0:5061 +method = tlsv1_2 +cert_file = ${asterisk_public_tls_cert} +priv_key_file = ${asterisk_public_tls_key} +ca_list_file = ${ca_root_nss_bundle} +verify_client = no +verify_server = yes +allow_reload = yes diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server new file mode 100644 index 0000000..1de448f --- /dev/null +++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server @@ -0,0 +1,65 @@ +;;;;;;;;;;; +; Trunks +;;;;;;;;;;; + +[trunk-defaults](!) +type = wizard +sends_auth = yes +sends_registrations = yes +endpoint/rtp_symmetric = yes +endpoint/rewrite_contact = yes +endpoint/send_rpid = yes +endpoint/from_domain = ${asterisk_sip_domain} +endpoint/allow = !all,ulaw +registration/max_retries = 4294967295 +registration/auth_rejection_permanent = no +aor/qualify_frequency = 30 + +$(for trunk in ${asterisk_trunks:-}; do + eval "trunk_proto=\${asterisk_trunk_${trunk}_proto:-'tcp'}" + eval "trunk_remote=\${asterisk_trunk_${trunk}_remote}" + eval "trunk_username=\${asterisk_trunk_${trunk}_username}" + eval "trunk_password=\${asterisk_trunk_${trunk}_password}" + eval "trunk_context=\${asterisk_trunk_${trunk}_context}" + echo "\ +[${trunk}](trunk-defaults) +transport = transport-${trunk_proto} +remote_hosts = ${trunk_remote} +endpoint/context = ${trunk_context} +endpoint/media_encryption = no +outbound_auth/username = ${trunk_username} +outbound_auth/password = ${trunk_password} +"; done) + + +[extension-defaults](!) +type = wizard +accepts_registrations = yes +accepts_auth = yes +aor/remove_existing = yes +endpoint/allow = !all,g722,ulaw +endpoint/from_domain = ${asterisk_sip_domain} +endpoint/subscribe_context = subscribe + +$(for ext in ${asterisk_exts:-}; do + eval "ext_context=\${asterisk_ext_${ext}_context}" + eval "ext_password=\${asterisk_ext_${ext}_password}" + eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}" + eval "ext_qualify_freq=\${asterisk_ext_${ext}_qualify_freq:-30}" + eval "ext_qualify_timeout=\${asterisk_ext_${ext}_qualify_timeout:-3.0}" + eval "ext_direct_media=\${asterisk_ext_${ext}_direct_media:-yes}" + eval "ext_cid_name=\${asterisk_ext_${ext}_cid_name}" + eval "ext_cid_number=\${asterisk_ext_${ext}_cid_number:-$ext}" + eval "ext_mailbox=\${asterisk_ext_${ext}_mailbox:-$ext}" + echo "\ +[${ext}](extension-defaults) +endpoint/context = ${ext_context} +endpoint/mailboxes = ${ext_mailbox}@default +endpoint/callerid = ${ext_cid_name} <${ext_cid_number}> +inbound_auth/username = ${ext} +inbound_auth/password = ${ext_password} +aor/max_contacts = ${ext_max_contacts} +aor/qualify_frequency = ${ext_qualify_freq} +aor/qualify_timeout = ${ext_qualify_timeout} +endpoint/direct_media = ${ext_direct_media} +"; done) diff --git a/files/usr/local/etc/asterisk/queues.conf.asterisk_server b/files/usr/local/etc/asterisk/queues.conf.asterisk_server new file mode 100644 index 0000000..87b8ed4 --- /dev/null +++ b/files/usr/local/etc/asterisk/queues.conf.asterisk_server @@ -0,0 +1,31 @@ +[general] +persistentmembers = yes +autofill = yes +monitor-type = MixMonitor +shared_lastcall = yes +log_membername_as_agent = yes + +$(for queue in ${asterisk_queues:-}; do + eval "queue_strategy=\${asterisk_queue_${queue}_strategy}" + eval "queue_timeout=\${asterisk_queue_${queue}_timeout:-15}" + eval "queue_retry=\${asterisk_queue_${queue}_retry:-5}" + eval "queue_ringinuse=\${asterisk_queue_${queue}_ringinuse:-yes}" + eval "queue_members=\${asterisk_queue_${queue}_members}" + echo "\ +[${queue}] +strategy = ${queue_strategy} +timeout = ${queue_timeout} +retry = ${queue_retry} +timeoutpriority = app +announce-frequency = 0 +announce-holdtime = no +announce-position = no +periodic-announce-frequency = 0 +joinempty = yes +leavewhenempty = no +ringinuse = ${queue_ringinuse} +timeoutrestart = yes" +for member in $queue_members; do + eval "member_name=\${asterisk_ext_${member}_cid_name}" + echo "member => PJSIP/${member},0,${member_name},PJSIP/${member}" +done; done) diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server new file mode 100644 index 0000000..d16d1f0 --- /dev/null +++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server @@ -0,0 +1,3 @@ +[general] +rtpstart=${asterisk_rtp_start_port} +rtpend=${asterisk_rtp_end_port} diff --git a/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server b/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server new file mode 100644 index 0000000..c67559f --- /dev/null +++ b/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server @@ -0,0 +1,31 @@ +[general] +format=wav49|gsm|wav + +serveremail=${asterisk_from_email} +attach=yes +maxmsg=100 +maxsecs=300 +maxgreet=60 +skipms=3000 +maxsilence=10 +silencethreshold=128 +maxlogins=3 + +emailsubject=New voicemail \${VM_MSGNUM} in mailbox \${VM_MAILBOX} +emailbody=Hi \${VM_NAME},\n\nYou have a new voicemail in mailbox \${VM_MAILBOX}.\n\nFrom: \${VM_CALLERID}\nDate: \${VM_DATE}\nDuration: \${VM_DUR}\nMessage Number: \${VM_MSGNUM} +emaildateformat=%A, %B %d, %Y at %r + +tz=myzone +locale=${asterisk_locale} +minpassword=4 + +[zonemessages] +myzone=${asterisk_timezone}|'vm-received' Q 'digits/at' IMp + +[default] +$(for mailbox in ${asterisk_mailboxes:-}; do + eval "mailbox_password=\${asterisk_mailbox_${mailbox}_password:-${asterisk_default_mailbox_password}}" + eval "mailbox_name=\${asterisk_mailbox_${mailbox}_name:-}" + eval "mailbox_email=\${asterisk_mailbox_${mailbox}_email:-}" + echo "${mailbox} => ${mailbox_password},${mailbox_name},${mailbox_email},,," +done) diff --git a/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server b/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server new file mode 100644 index 0000000..c1293e4 --- /dev/null +++ b/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server @@ -0,0 +1,5 @@ +#!/bin/sh + +RSPAMD_HOST="${rspamd_host}.${domain}" +RSPAMD_PASSWORD="${rspamd_rw_password}" +RSPAMD_KEY="${rspamd_pubkey}" diff --git a/files/usr/local/etc/nginx/fastcgi_params.common b/files/usr/local/etc/nginx/fastcgi_params.common new file mode 100644 index 0000000..d0a6c69 --- /dev/null +++ b/files/usr/local/etc/nginx/fastcgi_params.common @@ -0,0 +1,31 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $host; +fastcgi_param REMOTE_USER $remote_user if_not_empty; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + +# Protect against HTTPoxy vuln +fastcgi_param HTTP_PROXY ""; diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common index 1da7c3c..98ff9f9 100644 --- a/files/usr/local/etc/nginx/nginx.conf.common +++ b/files/usr/local/etc/nginx/nginx.conf.common @@ -33,8 +33,22 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; +$(if [ "${nginx_public:-}" = true ]; then < + AllowIRC = false + AllowWeb = true + IPv4 = true + IPv6 = false + Host = 127.0.0.1 + Port = ${znc_http_port} + SSL = false + + + + AllowIRC = true + AllowWeb = false + IPv4 = true + IPv6 = true + Port = ${znc_irc_port} + SSL = true + + + + Admin = true + Nick = znc_admin + AltNick = znc_admin_ + Ident = znc_admin + RealName = ZNC Administrator + + + Hash = :: + Method = MD5 + Salt = :: + + + + + Admin = false + Nick = znc_user + AltNick = znc_user_ + Ident = znc_user + RealName = ZNC User + MaxNetworks = ${znc_max_networks} + LoadModule = chansaver + + + Hash = :: + Method = MD5 + Salt = :: + + diff --git a/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server b/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server new file mode 100644 index 0000000..539fee0 --- /dev/null +++ b/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server @@ -0,0 +1,2 @@ +CloneUser ${znc_clone_user} +CreateUser yes diff --git a/files/usr/local/lib/sasl2/znc.conf.znc_server b/files/usr/local/lib/sasl2/znc.conf.znc_server new file mode 100644 index 0000000..f272cc7 --- /dev/null +++ b/files/usr/local/lib/sasl2/znc.conf.znc_server @@ -0,0 +1,3 @@ +mech_list: plain login +pwcheck_method: saslauthd +saslauthd_path: ${saslauthd_runtime_dir}/mux diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server index e09674a..b5b0d2d 100644 --- a/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server @@ -1,7 +1,11 @@ #!/bin/sh -exec /usr/local/bin/rspamc \\ - --connect="${rspamd_host}.${domain}" \\ - --password="${rspamd_rw_password}" \\ - --key="${rspamd_pubkey}" \\ +set -e + +. /usr/local/etc/dovecot/rspamd.conf.sh + +exec /usr/local/bin/rspamc \ + --connect="$RSPAMD_HOST" \ + --password="$RSPAMD_PASSWORD" \ + --key="$RSPAMD_KEY" \ learn_ham diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server index 825113f..ec46319 100644 --- a/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server @@ -1,7 +1,11 @@ #!/bin/sh -exec /usr/local/bin/rspamc \\ - --connect="${rspamd_host}.${domain}" \\ - --password="${rspamd_rw_password}" \\ - --key="${rspamd_pubkey}" \\ +set -e + +. /usr/local/etc/dovecot/rspamd.conf.sh + +exec /usr/local/bin/rspamc \ + --connect="$RSPAMD_HOST" \ + --password="$RSPAMD_PASSWORD" \ + --key="$RSPAMD_KEY" \ learn_spam diff --git a/files/usr/local/libexec/idm-ssh-authorized-keys.common b/files/usr/local/libexec/idm-ssh-authorized-keys.common index 89d2f20..ef7ba3c 100644 --- a/files/usr/local/libexec/idm-ssh-authorized-keys.common +++ b/files/usr/local/libexec/idm-ssh-authorized-keys.common @@ -7,7 +7,7 @@ use Net::LDAP; use Net::LDAP::Util qw(escape_filter_value); use Authen::SASL; -open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!); +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!); my %config; while (<$fh>) { chomp; @@ -18,9 +18,9 @@ while (<$fh>) { } close($fh); -my $mech = $config{SASL_MECH} // 'GSSAPI'; -my $uri = $config{URI} // quit('URI not specified'); -my $basedn = $config{USERS_BASE} // quit('USERS_BASE not specified'); +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); @ARGV == 1 or die "usage: $0 USERNAME\n"; my $username = $ARGV[0]; diff --git a/files/usr/local/libexec/idm-ssh-known-hosts.common b/files/usr/local/libexec/idm-ssh-known-hosts.common index 5b784d6..3bbcf65 100644 --- a/files/usr/local/libexec/idm-ssh-known-hosts.common +++ b/files/usr/local/libexec/idm-ssh-known-hosts.common @@ -29,8 +29,8 @@ while (<$fh>) { } close($fh); -my $mech = $config{SASL_MECH} // 'GSSAPI'; -my $uri = $config{URI} // quit('URI not specified'); +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // quit('URI not specified'); my $basedn = $config{HOSTS_BASE} // quit('HOSTS_BASE not specified'); my $conn = Net::LDAP->new($uri, version => '3') or quit($@); diff --git a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server new file mode 100644 index 0000000..d69017b --- /dev/null +++ b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server @@ -0,0 +1,54 @@ +#!/bin/sh + +# Retrieves ACME certificates from a different host over SFTP. +# Reloads prosody if any certificates were changed. + +set -eu -o pipefail + +PROSODY_USER=prosody +CERT_DIR=/usr/local/etc/prosody/certs +CHECKSUM_FILE="${CERT_DIR}/certs.md5" + +prog=$(basename "$(readlink -f "$0")") +usage="${prog} [-q] USER@TARGET_HOST DOMAIN..." + +usage(){ + printf 'usage: %s\n' "$usage" 1>&2 + exit 2 +} + +while getopts hq opt; do + case $opt in + h) usage ;; + q) exec 1>/dev/null ;; + esac +done +shift $((OPTIND - 1)) + +[ $# -ge 2 ] || usage +acmeproxy_target=$1; shift + +# Get md5 of any existing certificates. +touch "$CHECKSUM_FILE" +md5_old=$(cat "$CHECKSUM_FILE") + +# Retrieve certs from the proxy host via SFTP. +{ printf 'lcd %s\n' "$CERT_DIR" + printf 'get certs/%s.crt\n' "$@" + printf 'get certs/%s.key\n' "$@" + printf 'quit\n' +} | sftp -b - "$acmeproxy_target" + +# Get md5 of the new certificates. +md5_new=$(md5sum "$CERT_DIR"/*.crt "$CERT_DIR"/*.key | tee "$CHECKSUM_FILE") + +# If any certificates differ, reload prosody. +if [ "$md5_old" != "$md5_new" ]; then + if prosodyctl status >/dev/null 2>&1; then + prosodyctl reload + else + echo 'prosody not running, not reloading' + fi +else + echo 'certificates unchanged' +fi diff --git a/files/usr/local/libexec/prosody-update-roster.xmpp_server b/files/usr/local/libexec/prosody-update-roster.xmpp_server new file mode 100644 index 0000000..1b79747 --- /dev/null +++ b/files/usr/local/libexec/prosody-update-roster.xmpp_server @@ -0,0 +1,47 @@ +#!/usr/local/bin/perl + +use strict; +use warnings; + +use Net::LDAP; +use Authen::SASL; + +@ARGV == 1 or die "usage: $0 ROLE_NAME\n"; +my $role = $ARGV[0]; + +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!); +my %config; +while (<$fh>) { + chomp; + next if /^#/; + my @pair = split(' ', $_, 2); + next unless (@pair == 2); + $config{$pair[0]} = $pair[1]; +} +close($fh); + +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $users_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); +my $roles_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n"); + +my $conn = Net::LDAP->new($ldap_uris, version => '3') or die "$@"; +my $sasl = Authen::SASL->new($mech); +my $status = $conn->bind(sasl => $sasl); +$status->code and die $status->error; + +my $search = $conn->search( + scope => 'sub', + base => $users_basedn, + filter => "(&(memberOf=cn=$role,$roles_basedn)(mailAddress=*))", + attrs => ['mailAddress', 'cn']); + +print "[Internal]\n"; + +foreach my $entry ($search->entries) { + my $jid = ($entry->get_value('mailAddress'))[0]; + my $cn = ($entry->get_value('cn'))[0] // $jid; + print "$jid=$cn\n"; +} + +system('prosodyctl reload'); diff --git a/files/usr/local/www/davical/config/administration.yml.dav_server b/files/usr/local/www/davical/config/administration.yml.dav_server new file mode 100644 index 0000000..fdd5da2 --- /dev/null +++ b/files/usr/local/www/davical/config/administration.yml.dav_server @@ -0,0 +1,4 @@ +admin_db_user: ${boxconf_username} +admin_db_host: ${davical_dbhost} +admin_db_name: ${davical_dbname} +app_db_user: '"${davical_username}"' diff --git a/files/usr/local/www/davical/config/config.php.dav_server b/files/usr/local/www/davical/config/config.php.dav_server new file mode 100644 index 0000000..ec2cb26 --- /dev/null +++ b/files/usr/local/www/davical/config/config.php.dav_server @@ -0,0 +1,49 @@ +pg_connect[] = 'dbname=${davical_dbname} user=${davical_username} host=${davical_dbhost}'; +\$c->admin_email = '${davical_admin_email}'; + +\$c->restrict_setup_to_admin = true; + +\$c->home_calendar_name = 'calendar'; +\$c->home_addressbook_name = 'addressbook'; +\$c->default_privileges = array('read-free-busy', 'schedule-deliver'); +\$c->external_refresh = 60; +\$c->default_locale = 'en'; +\$c->allow_get_email_visibility = true; + +\$c->trust_x_forwarded = true; + +\$c->authenticate_hook['call'] = 'LDAP_check'; +\$c->authenticate_hook['config'] = array( + 'uri' => '${ldap_uri}', + 'host' => '${ldap_hosts}', + 'port' => '389', + 'sasl' => 'yes', + 'sasl_mech' => 'GSSAPI', + 'baseDNUsers' => '${users_basedn}', + 'baseDNGroups' => '${groups_basedn}', + 'scope' => 'onelevel', + 'protocolVersion' => 3, + 'optReferrals' => 0, + 'filterUsers' => '(memberOf=cn=${davical_access_role},${roles_basedn})', + 'filterGroups' => '(objectclass=groupOfMembers)', + 'mapping_field' => array('username' => 'uid', + 'modified' => 'modifyTimestamp', + 'fullname' => 'cn', + 'email' => 'mailAddress'), + 'group_mapping_field' => array('name' => 'cn', + 'fullname' => 'cn', + 'modified' => 'modifyTimestamp', + 'email' => 'mailAddress', + 'members' => 'member'), + 'group_member_dnfix' => true, + 'default_value' => array('date_format_type' => 'I','locale' => 'en'), + 'format_updated' => array('Y' => array(0,4), + 'm' => array(4,2), + 'd' => array(6,2), + 'H' => array(8,2), + 'M' => array(10,2), + 'S' => array(12,2)), + 'i_use_mode_kerberos' => 'i_know_what_i_am_doing', +); +include_once('drivers_ldap.php'); diff --git a/files/usr/local/www/tt-rss/config.php.ttrss_server b/files/usr/local/www/tt-rss/config.php.ttrss_server new file mode 100644 index 0000000..3598ef2 --- /dev/null +++ b/files/usr/local/www/tt-rss/config.php.ttrss_server @@ -0,0 +1,28 @@ +add_hook($host::HOOK_AUTH_USER, $this); + + Config::add(self::AUTH_IDM_URI, '', Config::T_STRING); + Config::add(self::AUTH_IDM_STARTTLS, false, Config::T_BOOL); + Config::add(self::AUTH_IDM_BASEDN, '', Config::T_STRING); + Config::add(self::AUTH_IDM_SCOPE, 'sub', Config::T_STRING); + Config::add(self::AUTH_IDM_FILTER, '', Config::T_STRING); + Config::add(self::AUTH_IDM_ADMIN_FILTER, '', Config::T_STRING); + Config::add(self::AUTH_IDM_USERNAME_ATTR, 'uid', Config::T_STRING); + Config::add(self::AUTH_IDM_FULLNAME_ATTR, 'cn', Config::T_STRING); + Config::add(self::AUTH_IDM_EMAIL_ATTR, 'mail', Config::T_STRING); + } + + private function ldap_get_user($username, $filter = null) { + switch ($this->scope) { + case 'sub': + $searchfunc = 'ldap_search'; break; + case 'one': + $searchfunc = 'ldap_list'; break; + case 'base': + $searchfunc = 'ldap_read'; break; + default: + Logger::log(E_USER_ERROR, "auth_idm: invalid search scope: $scope"); + return null; + } + + $uid_filter = '(' + . ldap_escape($this->username_attr, '', LDAP_ESCAPE_FILTER) + . '=' + . ldap_escape($username, '', LDAP_ESCAPE_FILTER) + . ')'; + + if (empty($filter)) { + $filter = $uid_filter; + } else { + $filter = "(&$filter$uid_filter)"; + } + + $results = $searchfunc($this->conn, $this->basedn, $filter, [$this->fullname_attr, $this->email_attr]); + if ($results && ldap_count_entries($this->conn, $results) == 1) { + if ($entry = ldap_first_entry($this->conn, $results)) { + if ($dn = ldap_get_dn($this->conn, $entry)) { + if ($attrs = ldap_get_attributes($this->conn, $entry)) { + return array( + 'dn' => $dn, + 'email' => $attrs[$this->email_attr][0], + 'fullname' => $attrs[$this->fullname_attr][0] + ); + } + } + } + } + return null; + } + + function authenticate($username = null, $password = null, $service = '') { + $this->basedn = Config::get(self::AUTH_IDM_BASEDN); + $this->scope = Config::get(self::AUTH_IDM_SCOPE); + $this->username_attr = Config::get(self::AUTH_IDM_USERNAME_ATTR); + $this->fullname_attr = Config::get(self::AUTH_IDM_FULLNAME_ATTR); + $this->email_attr = Config::get(self::AUTH_IDM_EMAIL_ATTR); + $uri = Config::get(self::AUTH_IDM_URI); + $starttls = Config::get(self::AUTH_IDM_STARTTLS); + $filter = Config::get(self::AUTH_IDM_FILTER); + $admin_filter = Config::get(self::AUTH_IDM_ADMIN_FILTER); + + // Get ldap connection handle. + if (!$this->conn = ldap_connect($uri)) { + return false; + } + + // Set protocol version 3. + if (!ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3)) { + return false; + } + + // Bind using kerberos credentials from the environment. + if (!ldap_sasl_bind($this->conn, null, null, 'GSSAPI')) { + return false; + } + + // Initiate STARTTLS (if requested) + if ($starttls and !ldap_start_tls($this->conn)) { + return false; + } + + // If REMOTE_USER was set by the webserver, use that. + if (!empty($_SERVER['REMOTE_USER'])) { + $username = $_SERVER['REMOTE_USER']; + } elseif (empty($username)) { + return false; + } + + $is_admin = false; + $user = null; + + // First, check if the ADIN_FILTER matches (if set). + if (!empty($admin_filter)) { + $user = $this->ldap_get_user($username, $admin_filter); + isset($user) && $is_admin = true; + } + + // If ADMIN_FILTER didn't match, try FILTER. + if (!isset($user)) { + $user = $this->ldap_get_user($username, $filter); + } + + // If no matching user from LDAP, reject. + if (!isset($user)) { + return false; + } + + // If webserver didn't validate the password, try an LDAP bind with the provided creds. + if (empty($_SERVER['REMOTE_USER']) and !ldap_bind($this->conn, $user['dn'], $password)) { + return false; + } + + // Get the TTRSS internal user ID. + if (!($userid = $this->auto_create_user($username))) { + return false; + } + + // Populate user details using the LDAP attributes. + if (Config::get(Config::AUTH_AUTO_CREATE)) { + if (!empty($user['fullname'])) { + $sth = $this->pdo->prepare('UPDATE ttrss_users SET full_name = ? WHERE id = ?'); + $sth->execute([$user['fullname'], $userid]); + } + + if (!empty($user['email'])) { + $sth = $this->pdo->prepare('UPDATE ttrss_users SET email = ? WHERE id = ?'); + $sth->execute([$user['email'], $userid]); + } + + $sth = $this->pdo->prepare('UPDATE ttrss_users SET access_level = ? WHERE id = ?'); + $sth->execute([$is_admin ? 10 : 0, $userid]); + } + + return $userid; + } + + function api_version() { + return 2; + } +} -- cgit v1.2.3