From f9301e0fe52313581920026a186955c78fcbe831 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 22 Oct 2024 22:01:49 -0400 Subject: zfs autosnapshots, syncthing, pam cleanup --- scripts/hostclass/nfs_server | 50 ------------------------- scripts/hostclass/nfs_server/10-nfs | 50 +++++++++++++++++++++++++ scripts/hostclass/nfs_server/20-syncthing | 61 +++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+), 50 deletions(-) delete mode 100644 scripts/hostclass/nfs_server create mode 100644 scripts/hostclass/nfs_server/10-nfs create mode 100644 scripts/hostclass/nfs_server/20-syncthing (limited to 'scripts/hostclass/nfs_server') diff --git a/scripts/hostclass/nfs_server b/scripts/hostclass/nfs_server deleted file mode 100644 index a775859..0000000 --- a/scripts/hostclass/nfs_server +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh - -# Jails serving NFS need 'allow.nfsd' option. - -: ${nfsuserd_cache_size:='256'} -: ${nfsuserd_num_servers:='4'} -: ${nfsuserd_cache_timeout:='1'} -: ${nfsd_srvmaxio:='1048576'} - -nfs_root=/share -nfs_dataset="${state_dataset}/nfs" - -# Create ZFS dataset for NFS share. -create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}" - -# Allow NFSv4 ACLs to propagate. -zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset" - -# Create nfs service principal and keytab. -add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}" -ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}" - -if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then - set_sysctl \ - vfs.nfsd.issue_delegations=1 \ - vfs.nfsd.enable_locallocks=0 -fi - -sysrc -v \ - nfs_server_managegids=YES \ - nfsuserd_enable=YES \ - nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \ - gssd_enable=YES \ - nfs_server_enable=YES \ - nfs_server_flags='-t' \ - nfs_server_maxio="$nfsd_srvmaxio" \ - nfsv4_server_only=YES \ - mountd_enable=YES \ - mountd_flags='-R -S' - -# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base -# Heimdal kerberos, which doesnt support %{euid} expansion. So we must -# override the keytab path with an environment variable. -sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab" - -install_template -m 0644 /etc/exports - -for service in gssd nfsuserd mountd nfsd; do - service "$service" status || service "$service" start -done diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs new file mode 100644 index 0000000..a775859 --- /dev/null +++ b/scripts/hostclass/nfs_server/10-nfs @@ -0,0 +1,50 @@ +#!/bin/sh + +# Jails serving NFS need 'allow.nfsd' option. + +: ${nfsuserd_cache_size:='256'} +: ${nfsuserd_num_servers:='4'} +: ${nfsuserd_cache_timeout:='1'} +: ${nfsd_srvmaxio:='1048576'} + +nfs_root=/share +nfs_dataset="${state_dataset}/nfs" + +# Create ZFS dataset for NFS share. +create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}" + +# Allow NFSv4 ACLs to propagate. +zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset" + +# Create nfs service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}" +ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}" + +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then + set_sysctl \ + vfs.nfsd.issue_delegations=1 \ + vfs.nfsd.enable_locallocks=0 +fi + +sysrc -v \ + nfs_server_managegids=YES \ + nfsuserd_enable=YES \ + nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \ + gssd_enable=YES \ + nfs_server_enable=YES \ + nfs_server_flags='-t' \ + nfs_server_maxio="$nfsd_srvmaxio" \ + nfsv4_server_only=YES \ + mountd_enable=YES \ + mountd_flags='-R -S' + +# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base +# Heimdal kerberos, which doesnt support %{euid} expansion. So we must +# override the keytab path with an environment variable. +sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab" + +install_template -m 0644 /etc/exports + +for service in gssd nfsuserd mountd nfsd; do + service "$service" status || service "$service" start +done diff --git a/scripts/hostclass/nfs_server/20-syncthing b/scripts/hostclass/nfs_server/20-syncthing new file mode 100644 index 0000000..095b55c --- /dev/null +++ b/scripts/hostclass/nfs_server/20-syncthing @@ -0,0 +1,61 @@ +#!/bin/sh + +# syncthing_users='user1 user2' +# syncthing_user1_port=22000 +# syncthing_user2_port=22001 + +if [ -z "${syncthing_users:-}" ]; then + return 0 +fi + +syncthing_https_cert="${nginx_conf_dir}/syncthing.crt" +syncthing_https_key="${nginx_conf_dir}/syncthing.key" +syncthing_conf_dir=/var/db/syncthing +nginx_keytab="${keytab_dir}/nginx.keytab" + +pkg install -y \ + syncthing \ + nginx + +# Create ZFS dataset for syncthing configuration. +create_dataset -o "mountpoint=$syncthing_conf_dir" "${state_dataset}/syncthing" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/syncthing" +install_directory -m 0755 "$syncthing_conf_dir" + +# Copy syncthing_user rc script. +install_file -m 0644 /usr/local/etc/syncthing.template.xml +install_file -m 0555 /usr/local/etc/rc.d/syncthing_user + +# Generate nginx configuration. +install_template -m 0644 \ + /usr/local/etc/nginx/nginx.conf \ + /usr/local/etc/nginx/vhosts.conf + +# Create HTTP service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" + +ktadd -k "$nginx_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$nginx_keytab" +chmod 640 "$nginx_keytab" + +# Copy TLS certificate for nginx. +install_certificate nginx "$syncthing_https_cert" +install_certificate_key nginx "$syncthing_https_key" + +# Enable and start daemons. +sysrc -v nginx_enable=YES +service nginx restart + +sysrc -v \ + syncthing_user_enable=YES \ + "syncthing_user_instances+=${syncthing_users}" + +for user in $syncthing_users; do + eval "port=\$syncthing_${user}_port" + sysrc -v "syncthing_user_${user}_port=${port}" +done + +service syncthing_user restart -- cgit v1.2.3