From 5ef2aed3f3961b72699d9881ed09560f4d01371a Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Fri, 18 Oct 2024 16:44:57 -0400
Subject: Tons of desktop fixes

---
 scripts/hostclass/cups_server                  |  3 ++
 scripts/hostclass/desktop                      | 30 ++++++++----
 scripts/hostclass/idm_server/40-unbound        |  8 ++--
 scripts/hostclass/laptop                       | 65 --------------------------
 scripts/hostclass/laptop/10-desktop            |  1 +
 scripts/hostclass/laptop/20-laptop             | 65 ++++++++++++++++++++++++++
 scripts/hostclass/roadwarrior_laptop/20-laptop |  2 +-
 scripts/os/freebsd/10-bootloader               |  4 +-
 scripts/os/freebsd/10-cpu                      |  5 ++
 scripts/os/freebsd/50-idm                      |  1 +
 scripts/os/freebsd/80-microcode                | 14 ++++++
 11 files changed, 118 insertions(+), 80 deletions(-)
 delete mode 100644 scripts/hostclass/laptop
 create mode 120000 scripts/hostclass/laptop/10-desktop
 create mode 100644 scripts/hostclass/laptop/20-laptop
 create mode 100644 scripts/os/freebsd/80-microcode

(limited to 'scripts')

diff --git a/scripts/hostclass/cups_server b/scripts/hostclass/cups_server
index 6667829..d9b6e66 100644
--- a/scripts/hostclass/cups_server
+++ b/scripts/hostclass/cups_server
@@ -9,6 +9,9 @@ cups_tls_dir=${cups_conf_dir}/ssl
 cups_tls_cert="${cups_tls_dir}/${fqdn}.crt"
 cups_tls_key="${cups_tls_dir}/${fqdn}.key"
 
+# Create dataset for persistent CUPS configuration.
+create_dataset -o "mountpoint=${cups_conf_dir}" "${state_dataset}/cups"
+
 # Install required packages.
 pkg install -y cups cups-filters
 
diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop
index f9e7e94..148b596 100644
--- a/scripts/hostclass/desktop
+++ b/scripts/hostclass/desktop
@@ -4,10 +4,13 @@
 : ${desktop_access_gid:='40000'}
 : ${sddm_min_uid:='10000'}
 : ${sddm_max_uid:='19999'}
+: ${cups_host:='cups'}
+: ${ublock_whitelist:=''}
+: ${chrome_flags:=''}
 
 sddm_user=sddm
-
-# TODO: kill lingering processes after logout (chrome, baloo-search, etc).
+cups_conf_dir=/usr/local/etc/cups
+xdg_override_dir=/usr/local/share-override
 
 if [ "${enable_idm:-}" = false ]; then
   desktop_access_role=operator
@@ -33,7 +36,9 @@ pkg install -y $desktop_common_packages
 install_file -m 0555 \
   /usr/local/libexec/pam-create-local-homedir \
   /etc/profile.d/local-homedir.sh
-install_directory -m 0755 /usr/local/home
+
+# Create ZFS dataset for local homedirs.
+create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home"
 
 # Enable sndio.
 sysrc -v sndiod_enable=YES
@@ -54,6 +59,10 @@ set_loader_conf cuse_load=YES
 sysrc -v webcamd_enable=YES
 service webcamd status || service webcamd start
 
+# Create xdg autostart entry to add our Root CA to Chrome's certificate store.
+install_file -m 0644 /usr/local/etc/xdg/autostart/nss-trust-root-ca.desktop
+install_file -m 0555 /usr/local/libexec/nss-trust-root-ca
+
 case $desktop_type in
   i3)
     pkg install -y $desktop_i3_packages
@@ -121,12 +130,13 @@ install_file -m 0644 /usr/local/etc/X11/xorg.conf.d/terminus.conf
 
 # Create xdg override directory.
 install_directory -m 0755 \
-  /usr/local/override \
-  /usr/local/override/applications
+  "${xdg_override_dir}" \
+  "${xdg_override_dir}/applications"
 
 # Create xdg application overrides.
-install_file -m 0644 \
-  /usr/local/override/applications/signal-desktop.desktop
+install_template -m 0644 \
+  "${xdg_override_dir}/applications/signal-desktop.desktop" \
+  "${xdg_override_dir}/applications/chromium-browser.desktop"
 
 # Create polkit rules for shutdown/reboot/suspend
 install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules
@@ -135,10 +145,14 @@ install_template -m 0644 /usr/local/etc/polkit-1/rules.d/51-desktop.rules
 sysrc -v dbus_enable=YES
 service dbus status || service dbus start
 
+# Configure CUPS.
+pkg install -y cups
+install_template -m 0644 "${cups_conf_dir}/client.conf"
+
 # Configure graphics drivers.
 case $graphics_type in
   intel)
-    pkg install -y drm-kmod
+    pkg install -y drm-kmod libva-intel-media-driver
     sysrc -v kld_list+=i915kms
     load_kernel_module i915kms
     set_loader_conf \
diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound
index 01c1c70..d38194f 100644
--- a/scripts/hostclass/idm_server/40-unbound
+++ b/scripts/hostclass/idm_server/40-unbound
@@ -4,8 +4,10 @@ unbound_user=unbound
 unbound_conf_dir=/usr/local/etc/unbound
 unbound_blocklist_dir="${unbound_conf_dir}/blocklists"
 unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls"
+unbound_whitelist_file="${unbound_conf_dir}/whitelist"
 
 : ${unbound_blocklist_urls:=''}
+: ${unbound_whitelist:=''}
 : ${unbound_cache_max_negative_ttl:='60'}
 : ${unbound_rrset_cache_size:='104857600'} # 100 MB
 : ${unbound_msg_cache_size:='52428800'} # 50 MB
@@ -24,9 +26,10 @@ install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir"
 install_template -m 0644 "${unbound_conf_dir}/unbound.conf"
 
 # Download blocklists.
+echo "$unbound_whitelist"  | tee "$unbound_whitelist_file"
 echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file"
 install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists
-su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}"
+su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_url_file} ${unbound_whitelist_file} ${unbound_blocklist_dir}"
 
 # Enable and start unbound.
 sysrc -v unbound_enable=YES
@@ -36,5 +39,4 @@ service unbound restart
 install_template -m 0644 /etc/resolv.conf
 
 # Update blocklists with a cron job.
-echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \
-  | tee /etc/cron.d/idm-update-unbound-blocklists
+install_template -m 0644 /etc/cron.d/unbound
diff --git a/scripts/hostclass/laptop b/scripts/hostclass/laptop
deleted file mode 100644
index dba2c5f..0000000
--- a/scripts/hostclass/laptop
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/bin/sh
-
-# Enable thinkpad hardware features.
-load_kernel_module acpi_ibm
-set_loader_conf acpi_ibm_load=YES
-
-# Set USB power savings
-usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||:
-install_file /etc/rc.local
-
-# Create devd rule for lid close.
-install_file -m 0555 /usr/local/libexec/lid-close
-install_file -m 0644 /etc/devd/lid-close.conf
-service devd restart
-
-# Enable kernel module for Android USB tethering.
-load_kernel_module if_urndis
-set_loader_conf if_urndis_load=YES
-sysrc -v ifconfig_ue0='DHCP'
-
-# Install laptop packages.
-pkg install -y networkmgr
-
-# Misc power saving stuff.
-set_loader_conf \
-  vfs.zfs.txg.timeout=10 \
-
-if [ "$graphics_type" = intel ]; then
-  set_loader_conf \
-    compat.linuxkpi.i915_disable_power_well=1 \
-    compat.linuxkpi.i915_enable_dc=2
-fi
-
-case ${wireless_type:-} in
-  iwm*)
-    set_loader_conf \
-      if_iwm_load=YES \
-      "${wireless_type}fw_load=YES"
-
-    load_kernel_module \
-      if_iwm \
-      "${wireless_type}fw"
-
-    sysrc -v wlans_iwm0='wlan0'
-    ;;
-esac
-
-# Enable power saving for sound card.
-set_sysctl hw.snd.latency=7
-
-# Configure wireless card.
-sysrc -v \
-  create_args_wlan0='country US regdomain FCC' \
-  ifconfig_wlan0="WPA DHCP powersave"
-
-# Hardware-specific fixes.
-case ${laptop_type:-} in
-  thinkpad)
-    # Set brightness using function keys.
-    set_sysctl dev.acpi_ibm.0.handlerevents='0x10 0x11'
-    install_file -m 0555 /usr/local/libexec/thinkpad-brightness
-    install_file -m 0644 /etc/devd/thinkpad-brightness.conf
-    service devd restart
-    ;;
-esac
diff --git a/scripts/hostclass/laptop/10-desktop b/scripts/hostclass/laptop/10-desktop
new file mode 120000
index 0000000..2c7c348
--- /dev/null
+++ b/scripts/hostclass/laptop/10-desktop
@@ -0,0 +1 @@
+../desktop
\ No newline at end of file
diff --git a/scripts/hostclass/laptop/20-laptop b/scripts/hostclass/laptop/20-laptop
new file mode 100644
index 0000000..dba2c5f
--- /dev/null
+++ b/scripts/hostclass/laptop/20-laptop
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Enable thinkpad hardware features.
+load_kernel_module acpi_ibm
+set_loader_conf acpi_ibm_load=YES
+
+# Set USB power savings
+usbconfig | awk -F: '{ print $1 }' | xargs -rtn1 -I% usbconfig -d % power_save ||:
+install_file /etc/rc.local
+
+# Create devd rule for lid close.
+install_file -m 0555 /usr/local/libexec/lid-close
+install_file -m 0644 /etc/devd/lid-close.conf
+service devd restart
+
+# Enable kernel module for Android USB tethering.
+load_kernel_module if_urndis
+set_loader_conf if_urndis_load=YES
+sysrc -v ifconfig_ue0='DHCP'
+
+# Install laptop packages.
+pkg install -y networkmgr
+
+# Misc power saving stuff.
+set_loader_conf \
+  vfs.zfs.txg.timeout=10 \
+
+if [ "$graphics_type" = intel ]; then
+  set_loader_conf \
+    compat.linuxkpi.i915_disable_power_well=1 \
+    compat.linuxkpi.i915_enable_dc=2
+fi
+
+case ${wireless_type:-} in
+  iwm*)
+    set_loader_conf \
+      if_iwm_load=YES \
+      "${wireless_type}fw_load=YES"
+
+    load_kernel_module \
+      if_iwm \
+      "${wireless_type}fw"
+
+    sysrc -v wlans_iwm0='wlan0'
+    ;;
+esac
+
+# Enable power saving for sound card.
+set_sysctl hw.snd.latency=7
+
+# Configure wireless card.
+sysrc -v \
+  create_args_wlan0='country US regdomain FCC' \
+  ifconfig_wlan0="WPA DHCP powersave"
+
+# Hardware-specific fixes.
+case ${laptop_type:-} in
+  thinkpad)
+    # Set brightness using function keys.
+    set_sysctl dev.acpi_ibm.0.handlerevents='0x10 0x11'
+    install_file -m 0555 /usr/local/libexec/thinkpad-brightness
+    install_file -m 0644 /etc/devd/thinkpad-brightness.conf
+    service devd restart
+    ;;
+esac
diff --git a/scripts/hostclass/roadwarrior_laptop/20-laptop b/scripts/hostclass/roadwarrior_laptop/20-laptop
index 874f665..981e450 120000
--- a/scripts/hostclass/roadwarrior_laptop/20-laptop
+++ b/scripts/hostclass/roadwarrior_laptop/20-laptop
@@ -1 +1 @@
-../laptop
\ No newline at end of file
+../laptop/20-laptop
\ No newline at end of file
diff --git a/scripts/os/freebsd/10-bootloader b/scripts/os/freebsd/10-bootloader
index 438acc0..3209927 100644
--- a/scripts/os/freebsd/10-bootloader
+++ b/scripts/os/freebsd/10-bootloader
@@ -24,9 +24,7 @@ set_loader_conf \
   pflog_load=YES \
   security.bsd.allow_destructive_dtrace=0
 
-if [ "${serial_console:-}" = true ]; then
-  # Don't enable the serial console for all hosts indiscriminately.
-  # Somehow, having the serial console enabled breaks ConsoleKit.
+if [ "$BOXCONF_VIRTUALIZATION_TYPE" = none ] && [ "$enable_serial_console" = true ]; then
   set_loader_conf \
     boot_multicons=YES \
     boot_serial=YES \
diff --git a/scripts/os/freebsd/10-cpu b/scripts/os/freebsd/10-cpu
index ea2afcf..67aeb68 100644
--- a/scripts/os/freebsd/10-cpu
+++ b/scripts/os/freebsd/10-cpu
@@ -28,3 +28,8 @@ if sysctl -n dev.hwpstate_intel.0.epp >/dev/null 2>&1; then
     set_sysctl "dev.hwpstate_intel.${n}.epp=${intel_epp}"
   done
 fi
+
+# Enable CPU-related kernel modules.
+set_loader_conf \
+  cpuctl_load=YES \
+  coretemp_load=YES
diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm
index 0a9e882..ab7c2fd 100644
--- a/scripts/os/freebsd/50-idm
+++ b/scripts/os/freebsd/50-idm
@@ -20,6 +20,7 @@ pkg install -y \
 # Configure PAM/NSS integration.
 install_file -m 0644 \
   /etc/nsswitch.conf \
+  /etc/pam.d/login \
   /etc/pam.d/sshd \
   /etc/pam.d/sudo
 
diff --git a/scripts/os/freebsd/80-microcode b/scripts/os/freebsd/80-microcode
new file mode 100644
index 0000000..f9e213e
--- /dev/null
+++ b/scripts/os/freebsd/80-microcode
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+: ${microcode_name:='intel-ucode.bin'}
+
+# Only run this file on baremetal hosts.
+if [ "$BOXCONF_VIRTUALIZATION_TYPE" != none ]; then
+  return
+fi
+
+pkg install -y cpu-microcode
+
+set_loader_conf \
+  cpu_microcode_load=YES \
+  cpu_microcode_name="/boot/firmware/${microcode_name}"
-- 
cgit v1.2.3