From cbcd022f302adc39ecb89fba6faf72e68184c0e0 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Fri, 2 Aug 2024 19:10:39 -0400
Subject: halfway working idm server and laptop hostclasses

---
 scripts/hostclass/desktop                          |  98 ++++++++++++
 scripts/hostclass/idm_server/10-slapd              | 165 +++++++++++++++++++++
 scripts/hostclass/idm_server/20-powerdns           | 114 ++++++++++++++
 scripts/hostclass/idm_server/30-kdc                |  12 ++
 scripts/hostclass/idm_server/90-idm                |   9 ++
 scripts/hostclass/laptop                           |  15 ++
 scripts/hostclass/pkg_repository                   |   6 +-
 scripts/hostclass/roadwarrior_laptop/10-desktop    |   1 +
 scripts/hostclass/roadwarrior_laptop/20-laptop     |   1 +
 .../hostclass/roadwarrior_laptop/30-roadwarrior    |   6 +
 10 files changed, 426 insertions(+), 1 deletion(-)
 create mode 100644 scripts/hostclass/desktop
 create mode 100644 scripts/hostclass/idm_server/10-slapd
 create mode 100644 scripts/hostclass/idm_server/20-powerdns
 create mode 100644 scripts/hostclass/idm_server/30-kdc
 create mode 100644 scripts/hostclass/idm_server/90-idm
 create mode 100644 scripts/hostclass/laptop
 create mode 120000 scripts/hostclass/roadwarrior_laptop/10-desktop
 create mode 120000 scripts/hostclass/roadwarrior_laptop/20-laptop
 create mode 100644 scripts/hostclass/roadwarrior_laptop/30-roadwarrior

(limited to 'scripts/hostclass')

diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
new file mode 100644
index 0000000..d90081e
--- /dev/null
+++ b/scripts/hostclass/desktop
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+load_kernel_module linux linux64 acpi_ibm
+
+pkg install -y \
+  chromium \
+  compton \
+  dino \
+  dmenu \
+  eclipse \
+  firefox \
+  git \
+  krb5 \
+  i3 \
+  libreoffice \
+  libva-intel-media-driver \
+  networkmgr \
+  py${python_version}-pip  \
+  stow \
+  terminus-font \
+  terminus-ttf \
+  tmux \
+  tree \
+  wireguard-tools \
+  xfontsel \
+  xidle \
+  xorg \
+  xterm
+
+case $desktop_type in
+  i3)
+    pkg install \
+      i3 \
+      i3lock \
+      i3status
+    ;;
+  kde)
+    pkg install \
+      juk \
+      k3b \
+      kde5 \
+      kid3-qt6 \
+      kmix \
+      konversation \
+      sddm
+    ;;
+esac
+
+set_sysctl \
+  net.local.stream.recvspace=65536 \
+  net.local.stream.sendspace=65536 \
+  kern.sched.preempt_thresh=224 \
+  vfs.usermount=1 \
+  hw.snd.latency=7
+
+set_loader_conf \
+  kern.ipc.shmseg=1024 \
+  kern.ipc.shmmni=1024 \
+  kern.maxproc=100000 \
+  linux_load=YES \
+  linux64_load=YES \
+  acpi_ibm_load=YES \
+  compat.linuxkpi.i915_enable_dc=2 \
+  compat.linuxkpi.i915_enable_fbc=1 \
+  compat.linuxkpi.i915_fastboot=1 \
+  compat.linuxkpi.i915_disable_power_well=1 \
+  machdep.hwpstate_pkg_ctrl=0 \
+  vfs.zfs.txg.timeout=10 \
+  hw.pci.do_power_nodriver=3
+
+# Create policy file for firefox.
+install_directory -m 0755 /usr/local/lib/firefox/distribution
+install_template -m 0644  /usr/local/lib/firefox/distribution/policies.json
+
+# Create policy file for chromium.
+install_directory -m 0755 \
+  /usr/local/etc/chromium/policies \
+  /usr/local/etc/chromium/policies/managed
+install_template -m 0644 /usr/local/etc/chromium/policies/managed/policies.json
+
+# Configure libreoffice
+install_file -m 0644 /usr/local/lib/libreoffice/program/sofficerc
+
+# Add terminus font to X11
+install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf
+
+# Enable dbus.
+sysrc -v dbus_enable=YES
+service dbus status || service dbus start
+
+# Configure graphics drivers.
+case $graphics_type in
+  intel)
+    pkg install -y drm-kmod
+    sysrc -v kld_list+=i915kms
+    load_kernel_module i915kms
+    ;;
+esac
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
new file mode 100644
index 0000000..dc52a58
--- /dev/null
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -0,0 +1,165 @@
+#!/bin/sh
+
+: ${slapd_root_dn:='cn=admin'}
+: ${slapd_replicator_dn:="cn=replicator,${basedn}"}
+: ${slapd_result_size_limit:='10000'}
+: ${slapd_db_max_size:='1073741824'} # 1 GB
+: ${slapd_accesslog_db_max_size:='134217728'} # 128 MB
+: ${slapd_syncrepl_checkpoint_ops:='100'}
+: ${slapd_syncrepl_checkpoint_minutes:='10'}
+: ${slapd_syncrepl_session_log:='1000'}
+: ${slapd_syncrepl_cleanup_age:='7'}
+: ${slapd_syncrepl_cleanup_interval:='1'}
+
+slapd_user=ldap
+slapd_data_dir=/var/db/openldap-data
+slapd_conf_dir=/usr/local/etc/openldap
+slapd_tls_cert="${slapd_conf_dir}/slapd.crt"
+slapd_tls_key="${slapd_conf_dir}/slapd.key"
+slapd_replicator_tls_cert="${slapd_conf_dir}/replicator.crt"
+slapd_replicator_tls_key="${slapd_conf_dir}/replicator.key"
+slapd_keytab="${keytab_dir}/slapd.keytab"
+
+is_primary_server(){
+  # Return 0 if the current hostname is equal to $idm_primary_server.
+  # If $idm_primary_server is unset, use the first hostname in $idm_server_list.
+  _primary="${idm_primary_server:-$(echo "$idm_server_list" | awk 'NR==1{print $1}')}"
+  test "$BOXCONF_HOSTNAME" = "$_primary"
+}
+
+pkg install -y \
+  openldap26-server \
+  cyrus-sasl-saslauthd
+
+# Create ZFS dataset for OpenLDAP DB.
+create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data"
+
+# Copy TLS certificate for LDAP server.
+install_certificate     -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert"
+install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key"
+
+# Copy client certificate for LDAP replication.
+install_certificate     -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_cert"
+install_certificate_key -o "$slapd_user" -g "$slapd_user" replicator "$slapd_replicator_tls_key"
+
+# Copy LDIF for the cn=config database.
+install_template -m 0600 "${slapd_conf_dir}/slapd.ldif"
+
+# Copy third-party schema files.
+install_file -m 0644 \
+  "${slapd_conf_dir}/schema/rfc2307bis.ldif" \
+  "${slapd_conf_dir}/schema/kerberos.ldif" \
+  "${slapd_conf_dir}/schema/openssh-lpk.ldif" \
+  "${slapd_conf_dir}/schema/sudo.ldif" \
+  "${slapd_conf_dir}/schema/dnsdomain2.ldif" \
+  "${slapd_conf_dir}/schema/mailservice.ldif"
+
+# Create the directories for the LDAP databases.
+install_directory -m 0770 -o "$slapd_user" -g "$slapd_user" \
+  "${slapd_data_dir}" \
+  "${slapd_data_dir}/accesslog"
+
+# If slapd.d doesn't exist, populate it with slapd.ldif.
+if [ ! -d "${slapd_conf_dir}/slapd.d" ]; then
+  install_directory -m 0700 -o "$slapd_user" "${slapd_conf_dir}/slapd.d"
+  slapadd -v -n0 -F "${slapd_conf_dir}/slapd.d" -l "${slapd_conf_dir}/slapd.ldif"
+  chown -R "${slapd_user}:${slapd_user}" "${slapd_conf_dir}/slapd.d"
+fi
+
+# Enable OpenLDAP in /etc/rc.conf, and start it.
+# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
+# the `-h` argument to slapd. That's how slapd figures out its own server ID.
+sysrc -v \
+  slapd_enable=YES \
+  slapd_cn_config=YES \
+  slapd_flags="-h 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
+  slapd_sockets="/var/run/openldap/ldapi" \
+  slapd_krb5_ktname="$slapd_keytab"
+
+service slapd restart
+
+# Copy the LDAP client configs.
+install_template -m 0644 "${slapd_conf_dir}/ldap.conf"
+
+# Copy slapd SASL configuration.
+install_template -m 0644 /usr/local/lib/sasl2/slapd.conf
+
+# Allow slapd to read the saslauthd socket.
+install_directory -m 0750 -o "$saslauthd_user" -g "$slapd_user" "$saslauthd_runtime_dir"
+
+# Enable and start saslauthd.
+sysrc -v \
+  saslauthd_flags='-a kerberos5' \
+  saslauthd_enable=YES
+service saslauthd restart
+
+# Create directory tree.
+if is_primary_server; then
+  # dc=example,dc=com
+  ldap_add "$basedn" <<EOF
+objectClass: dcObject
+objectClass: organization
+dc: $(ldap_rdn_value "$basedn")
+o: ${site}
+EOF
+
+  # ou=accounts,dc=example,dc=com
+  ldap_add "$accounts_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$accounts_basedn")
+EOF
+
+  # ou=people,ou=accounts,dc=example,dc=com
+  ldap_add "$people_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$people_basedn")
+EOF
+
+  # ou=robots,ou=accounts,dc=example,dc=com
+  ldap_add "$robots_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$robots_basedn")
+EOF
+
+  # ou=hosts,ou=accounts,dc=example,dc=com
+  ldap_add "$hosts_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$hosts_basedn")
+EOF
+
+  # ou=services,ou=accounts,dc=example,dc=com
+  ldap_add "$services_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$services_basedn")
+EOF
+
+  # ou=groups,ou=accounts,dc=example,dc=com
+  ldap_add "$groups_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$groups_basedn")
+EOF
+
+  # ou=userprivate,ou=groups,ou=accounts,dc=example,dc=com
+  ldap_add "$private_groups_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$private_groups_basedn")
+EOF
+
+  # ou=roles,ou=groups,ou=accounts,dc=example,dc=com
+  ldap_add "$roles_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$roles_basedn")
+EOF
+
+  # ou=automount,dc=example,dc=com
+  ldap_add "$automount_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$automount_basedn")
+EOF
+
+  # ou=sudo,dc=example,dc=com
+  ldap_add "$sudo_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$sudo_basedn")
+EOF
+fi
diff --git a/scripts/hostclass/idm_server/20-powerdns b/scripts/hostclass/idm_server/20-powerdns
new file mode 100644
index 0000000..4d42ee9
--- /dev/null
+++ b/scripts/hostclass/idm_server/20-powerdns
@@ -0,0 +1,114 @@
+#!/bin/sh
+
+: ${pdns_port:='1053'}
+: ${pdns_distributor_threads:='3'}
+: ${pdns_receiver_threads:="$nproc"}
+: ${pdns_allow_axfr_ips:='127.0.0.1/8'}
+: ${pdns_cache_ttl:='30'}
+: ${pdns_query_cache_ttl:='20'}
+: ${pdns_negquery_cache_ttl:='60'}
+
+pdns_conf_dir=/usr/local/etc/pdns
+pdns_runtime_dir=/var/run/pdns
+pdns_soa_record="sOARecord: ${fqdn} root.${domain} 0 10800 3600 604800 3600"
+pdns_ns_records=$(printf "nSRecord: %s.${domain}\n" $idm_hostnames)
+pdns_user=pdns
+
+# Install PowerDNS.
+pkg install -y powerdns
+
+# Generate PowerDNS configuration.
+install_template -m 0644 "${pdns_conf_dir}/pdns.conf"
+
+# Enable PowerDNS and start it.
+sysrc -v pdns_enable=YES
+service pdns restart
+
+# Create initial IDM DNS records.
+if is_primary_server; then
+  # ou=dns,dc=example,dc=com
+  ldap_add "$dns_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$dns_basedn")
+EOF
+
+  # Forward DNS zone
+  # dc=idm.example.com,ou=dns,dc=example,dc=com
+  ldap_add "dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+dc: ${domain}
+${pdns_soa_record}
+${pdns_ns_records}
+$(echo "$idm_server_list" | awk '{print "aRecord: "$2}')
+associatedDomain: ${domain}
+EOF
+
+  # Reverse DNS zone(s)
+  # dc=0.168.192.in-addr.arpa,ou=dns,dc=example.com
+  for zone in $reverse_dns_zones; do
+    ldap_add "dc=${zone},${dns_basedn}" <<EOF
+objectClass: dNSDomain
+objectClass: domainRelatedObject
+${pdns_soa_record}
+${pdns_ns_records}
+associatedDomain: ${zone}
+EOF
+  done
+
+  # LDAP SRV record
+  ldap_add "dc=_ldap._tcp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _ldap._tcp.${domain}
+$(printf "sRVRecord: 0 100 389 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # LDAPS SRV record
+  ldap_add "dc=_ldaps._tcp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _ldaps._tcp.${domain}
+$(printf "sRVRecord: 0 100 636 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # Kerberos SRV record (UDP)
+  ldap_add "dc=_kerberos._udp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _kerberos._udp.${domain}
+$(printf "sRVRecord: 0 100 88 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # Kerberos SRV record (TCP)
+  ldap_add "dc=_kerberos._tcp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _kerberos._tcp.${domain}
+$(printf "sRVRecord: 0 100 88 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # Kadmin SRV record
+  ldap_add "dc=_kerberos-adm._tcp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _kerberos-adm._tcp.${domain}
+$(printf "sRVRecord: 0 100 749 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # Kpasswd SRV record
+  ldap_add "dc=_kpasswd._udp,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _kpasswd._udp.${domain}
+$(printf "sRVRecord: 0 100 464 %s.${domain}\n" ${idm_hostnames})
+EOF
+
+  # Kerberos realm TXT record
+  ldap_add "dc=_kerberos,dc=${domain},${dns_basedn}" <<EOF
+objectClass: dNSDomain2
+objectClass: domainRelatedObject
+associatedDomain: _kerberos.${domain}
+tXTRecord: ${realm}
+EOF
+fi
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc
new file mode 100644
index 0000000..4921688
--- /dev/null
+++ b/scripts/hostclass/idm_server/30-kdc
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Install MIT kerberos.
+pkg install -y krb5
+
+if is_primary_server; then
+  # ou=kdc,dc=example,dc=com
+  ldap_add "$kdc_basedn" <<EOF
+objectClass: organizationalUnit
+ou: $(ldap_rdn_value "$dns_basedn")
+EOF
+fi
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
new file mode 100644
index 0000000..7881f14
--- /dev/null
+++ b/scripts/hostclass/idm_server/90-idm
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# Create host object for this server
+# Create ldap service principal for this server
+# Create A record
+# Create PTR record
+# Create boxconf user
+# Create sudo rules
+# Create admin group
diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop
new file mode 100644
index 0000000..83c7457
--- /dev/null
+++ b/scripts/hostclass/laptop
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Set USB power savings
+usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||:
+install_file /etc/rc.local
+
+# Create devd rule for lid close.
+install_file -m 0555 /usr/local/libexec/lid-close
+install_file -m 0644 /etc/devd/lid-close.conf
+service devd restart
+
+# Configure wireless card.
+sysrc -v \
+  create_args_wlan0='country US regdomain FCC' \
+  ifconfig_wlan0="WPA DHCP powersave"
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository
index b86704a..a356b3e 100644
--- a/scripts/hostclass/pkg_repository
+++ b/scripts/hostclass/pkg_repository
@@ -28,7 +28,9 @@ pkg install -y \
 install_template -m 0644 \
   /usr/local/etc/poudriere.conf \
  "${poudriere_conf_dir}/make.conf" \
- "${poudriere_conf_dir}/pkglist"
+ "${poudriere_conf_dir}/idm-make.conf" \
+ "${poudriere_conf_dir}/pkglist" \
+ "${poudriere_conf_dir}/idm-pkglist"
 install_file -m 0400 /usr/local/etc/ssl/repo.key
 install_directory -m 0755 /usr/ports/distfiles
 install_directory -m 0755 -o nobody -g nobody "${poudriere_data_dir}/ccache"
@@ -57,10 +59,12 @@ for version in $poudriere_versions; do
 
   [ -d "${poudriere_data_dir}/jails/${jail}" ] || poudriere jail -c -j "$jail" -v "$version"
   poudriere jail -u -j "$jail"
+  poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/idm-pkglist" -p latest -z idm
   poudriere bulk -v -j "$jail" -f "${poudriere_conf_dir}/pkglist" -p latest
 
   install_directory -m 0755 "${poudriere_data_dir}/data/packages/${abi}"
   ln -snfv "../${jail}-latest" "${poudriere_data_dir}/data/packages/${abi}/latest"
+  ln -snfv "../${jail}-latest-idm" "${poudriere_data_dir}/data/packages/${abi}/latest-idm"
 done
 
 # Clean stale distfiles and logs.
diff --git a/scripts/hostclass/roadwarrior_laptop/10-desktop b/scripts/hostclass/roadwarrior_laptop/10-desktop
new file mode 120000
index 0000000..2c7c348
--- /dev/null
+++ b/scripts/hostclass/roadwarrior_laptop/10-desktop
@@ -0,0 +1 @@
+../desktop
\ No newline at end of file
diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop
new file mode 120000
index 0000000..874f665
--- /dev/null
+++ b/scripts/hostclass/roadwarrior_laptop/20-laptop
@@ -0,0 +1 @@
+../laptop
\ No newline at end of file
diff --git a/scripts/hostclass/roadwarrior_laptop/30-roadwarrior b/scripts/hostclass/roadwarrior_laptop/30-roadwarrior
new file mode 100644
index 0000000..2cc0a3e
--- /dev/null
+++ b/scripts/hostclass/roadwarrior_laptop/30-roadwarrior
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Configure sudoers.
+install_file -m 0600 \
+  /usr/local/etc/sudoers \
+  /usr/local/etc/sudoers.d/networkmgr
-- 
cgit v1.2.3