From f9301e0fe52313581920026a186955c78fcbe831 Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Tue, 22 Oct 2024 22:01:49 -0400 Subject: zfs autosnapshots, syncthing, pam cleanup --- scripts/hostclass/asterisk_server | 4 ++ scripts/hostclass/cups_server | 1 + scripts/hostclass/desktop | 6 ++- scripts/hostclass/idm_server/10-slapd | 5 +++ scripts/hostclass/imap_server/10-solr | 4 ++ scripts/hostclass/imap_server/30-dovecot | 5 +++ scripts/hostclass/nfs_server | 50 ------------------------- scripts/hostclass/nfs_server/10-nfs | 50 +++++++++++++++++++++++++ scripts/hostclass/nfs_server/20-syncthing | 61 +++++++++++++++++++++++++++++++ scripts/hostclass/pkg_repository | 3 ++ scripts/hostclass/postgresql_server | 5 +++ scripts/hostclass/public_webserver | 4 ++ scripts/hostclass/smtp_server/10-rspamd | 4 ++ scripts/hostclass/unifi_controller | 4 ++ scripts/hostclass/znc_server | 4 ++ scripts/hostname/nfs1/10-homedirs | 6 +++ scripts/hostname/nfs1/20-shares | 5 +++ scripts/os/80-zfs | 1 + scripts/os/freebsd/20-zfs | 2 +- scripts/os/freebsd/50-idm | 17 ++++++++- scripts/os/freebsd/90-snapshots | 10 +++++ 21 files changed, 197 insertions(+), 54 deletions(-) delete mode 100644 scripts/hostclass/nfs_server create mode 100644 scripts/hostclass/nfs_server/10-nfs create mode 100644 scripts/hostclass/nfs_server/20-syncthing create mode 100644 scripts/os/80-zfs create mode 100644 scripts/os/freebsd/90-snapshots (limited to 'scripts') diff --git a/scripts/hostclass/asterisk_server b/scripts/hostclass/asterisk_server index d519730..fe10f51 100644 --- a/scripts/hostclass/asterisk_server +++ b/scripts/hostclass/asterisk_server @@ -44,6 +44,10 @@ pkg install -y \ # Create ZFS dataset for Asterisk DB. create_dataset -o "mountpoint=${asterisk_db_dir}" "${state_dataset}/asterisk" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/asterisk" install_directory -o "$asterisk_user" -g "$asterisk_user" -m 0755 "$asterisk_db_dir" # Generate asterisk configuration. diff --git a/scripts/hostclass/cups_server b/scripts/hostclass/cups_server index d9b6e66..0fd624c 100644 --- a/scripts/hostclass/cups_server +++ b/scripts/hostclass/cups_server @@ -11,6 +11,7 @@ cups_tls_key="${cups_tls_dir}/${fqdn}.key" # Create dataset for persistent CUPS configuration. create_dataset -o "mountpoint=${cups_conf_dir}" "${state_dataset}/cups" +zfs set com.sun:auto-snapshot:daily=true "${state_dataset}/cups" # Install required packages. pkg install -y cups cups-filters diff --git a/scripts/hostclass/desktop b/scripts/hostclass/desktop index ed71393..ac8bdda 100644 --- a/scripts/hostclass/desktop +++ b/scripts/hostclass/desktop @@ -1,6 +1,5 @@ #!/bin/sh -: ${desktop_access_role:='desktop-access'} : ${desktop_access_gid:='40000'} : ${sddm_min_uid:='10000'} : ${sddm_max_uid:='19999'} @@ -38,6 +37,11 @@ install_file -m 0555 \ # Create ZFS dataset for local homedirs. create_dataset -o mountpoint=/usr/local/home "${state_dataset}/home" +zfs set \ + com.sun:auto-snapshot:hourly=true \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/home" # Enable sndio. sysrc -v sndiod_enable=YES diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd index d01db70..12640a4 100644 --- a/scripts/hostclass/idm_server/10-slapd +++ b/scripts/hostclass/idm_server/10-slapd @@ -36,6 +36,11 @@ pkg install -y \ # Create ZFS dataset for OpenLDAP DB. create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data" +zfs set \ + com.sun:auto-snapshot:hourly=true \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/openldap-data" # To prevent a circular dependency in poudriere, we have to make a special "set" # of packages for the IDM hosts in which cyrus-sasl-gssapi is built with the diff --git a/scripts/hostclass/imap_server/10-solr b/scripts/hostclass/imap_server/10-solr index 252a8c3..a30d6fd 100644 --- a/scripts/hostclass/imap_server/10-solr +++ b/scripts/hostclass/imap_server/10-solr @@ -28,6 +28,10 @@ add_user \ # Create ZFS dataset for solr DB. create_dataset -o "mountpoint=${solr_data_dir}" "${state_dataset}/solr" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/solr" # Set ownership on solr DB dir. install_directory -m 0770 -o "$solr_user" -g "$solr_user" "$solr_data_dir" diff --git a/scripts/hostclass/imap_server/30-dovecot b/scripts/hostclass/imap_server/30-dovecot index ff41da5..66edd1d 100644 --- a/scripts/hostclass/imap_server/30-dovecot +++ b/scripts/hostclass/imap_server/30-dovecot @@ -35,6 +35,11 @@ add_user \ # Create ZFS dataset for virtual maildirs. create_dataset -o "mountpoint=${dovecot_vmail_dir}" "${state_dataset}/mailboxes" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + com.sun:auto-snapshot:monthly=true \ + "${state_dataset}/mailboxes" # Set ownership on vmail dir. install_directory -m 0770 -o "$dovecot_vmail_user" -g "$dovecot_vmail_user" "$dovecot_vmail_dir" diff --git a/scripts/hostclass/nfs_server b/scripts/hostclass/nfs_server deleted file mode 100644 index a775859..0000000 --- a/scripts/hostclass/nfs_server +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh - -# Jails serving NFS need 'allow.nfsd' option. - -: ${nfsuserd_cache_size:='256'} -: ${nfsuserd_num_servers:='4'} -: ${nfsuserd_cache_timeout:='1'} -: ${nfsd_srvmaxio:='1048576'} - -nfs_root=/share -nfs_dataset="${state_dataset}/nfs" - -# Create ZFS dataset for NFS share. -create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}" - -# Allow NFSv4 ACLs to propagate. -zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset" - -# Create nfs service principal and keytab. -add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}" -ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}" - -if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then - set_sysctl \ - vfs.nfsd.issue_delegations=1 \ - vfs.nfsd.enable_locallocks=0 -fi - -sysrc -v \ - nfs_server_managegids=YES \ - nfsuserd_enable=YES \ - nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \ - gssd_enable=YES \ - nfs_server_enable=YES \ - nfs_server_flags='-t' \ - nfs_server_maxio="$nfsd_srvmaxio" \ - nfsv4_server_only=YES \ - mountd_enable=YES \ - mountd_flags='-R -S' - -# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base -# Heimdal kerberos, which doesnt support %{euid} expansion. So we must -# override the keytab path with an environment variable. -sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab" - -install_template -m 0644 /etc/exports - -for service in gssd nfsuserd mountd nfsd; do - service "$service" status || service "$service" start -done diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs new file mode 100644 index 0000000..a775859 --- /dev/null +++ b/scripts/hostclass/nfs_server/10-nfs @@ -0,0 +1,50 @@ +#!/bin/sh + +# Jails serving NFS need 'allow.nfsd' option. + +: ${nfsuserd_cache_size:='256'} +: ${nfsuserd_num_servers:='4'} +: ${nfsuserd_cache_timeout:='1'} +: ${nfsd_srvmaxio:='1048576'} + +nfs_root=/share +nfs_dataset="${state_dataset}/nfs" + +# Create ZFS dataset for NFS share. +create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}" + +# Allow NFSv4 ACLs to propagate. +zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset" + +# Create nfs service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}" +ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}" + +if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then + set_sysctl \ + vfs.nfsd.issue_delegations=1 \ + vfs.nfsd.enable_locallocks=0 +fi + +sysrc -v \ + nfs_server_managegids=YES \ + nfsuserd_enable=YES \ + nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \ + gssd_enable=YES \ + nfs_server_enable=YES \ + nfs_server_flags='-t' \ + nfs_server_maxio="$nfsd_srvmaxio" \ + nfsv4_server_only=YES \ + mountd_enable=YES \ + mountd_flags='-R -S' + +# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base +# Heimdal kerberos, which doesnt support %{euid} expansion. So we must +# override the keytab path with an environment variable. +sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab" + +install_template -m 0644 /etc/exports + +for service in gssd nfsuserd mountd nfsd; do + service "$service" status || service "$service" start +done diff --git a/scripts/hostclass/nfs_server/20-syncthing b/scripts/hostclass/nfs_server/20-syncthing new file mode 100644 index 0000000..095b55c --- /dev/null +++ b/scripts/hostclass/nfs_server/20-syncthing @@ -0,0 +1,61 @@ +#!/bin/sh + +# syncthing_users='user1 user2' +# syncthing_user1_port=22000 +# syncthing_user2_port=22001 + +if [ -z "${syncthing_users:-}" ]; then + return 0 +fi + +syncthing_https_cert="${nginx_conf_dir}/syncthing.crt" +syncthing_https_key="${nginx_conf_dir}/syncthing.key" +syncthing_conf_dir=/var/db/syncthing +nginx_keytab="${keytab_dir}/nginx.keytab" + +pkg install -y \ + syncthing \ + nginx + +# Create ZFS dataset for syncthing configuration. +create_dataset -o "mountpoint=$syncthing_conf_dir" "${state_dataset}/syncthing" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/syncthing" +install_directory -m 0755 "$syncthing_conf_dir" + +# Copy syncthing_user rc script. +install_file -m 0644 /usr/local/etc/syncthing.template.xml +install_file -m 0555 /usr/local/etc/rc.d/syncthing_user + +# Generate nginx configuration. +install_template -m 0644 \ + /usr/local/etc/nginx/nginx.conf \ + /usr/local/etc/nginx/vhosts.conf + +# Create HTTP service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" + +ktadd -k "$nginx_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$nginx_keytab" +chmod 640 "$nginx_keytab" + +# Copy TLS certificate for nginx. +install_certificate nginx "$syncthing_https_cert" +install_certificate_key nginx "$syncthing_https_key" + +# Enable and start daemons. +sysrc -v nginx_enable=YES +service nginx restart + +sysrc -v \ + syncthing_user_enable=YES \ + "syncthing_user_instances+=${syncthing_users}" + +for user in $syncthing_users; do + eval "port=\$syncthing_${user}_port" + sysrc -v "syncthing_user_${user}_port=${port}" +done + +service syncthing_user restart diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 969dff7..7044f96 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -18,6 +18,9 @@ poudriere_patch_dir="${poudriere_conf_dir}/patches" # Create poudriere datasets. create_dataset -o "mountpoint=${poudriere_data_dir}" "${state_dataset}/poudriere" create_dataset -o "mountpoint=${poudriere_conf_dir}" "${state_dataset}/poudriere-config" +zfs set com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/poudriere" \ + "${state_dataset}/poudriere-config" # Since we're doing a ton of compilation, disable sync on the poudriere dataset. # Possibly snakeoil, but my hope is that most file I/O will end up in the ARC cache diff --git a/scripts/hostclass/postgresql_server b/scripts/hostclass/postgresql_server index 10bafc8..dbb84b4 100644 --- a/scripts/hostclass/postgresql_server +++ b/scripts/hostclass/postgresql_server @@ -28,6 +28,11 @@ create_dataset \ -o primarycache=metadata \ -o atime=off \ "${state_dataset}/postgres" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + com.sun:auto-snapshot:monthly=true \ + "${state_dataset}/postgres" install_directory -m 0755 -o "$postgres_user" -g "$postgres_user" "$postgres_home" # Initialize the database. diff --git a/scripts/hostclass/public_webserver b/scripts/hostclass/public_webserver index ccf5991..721cbfc 100644 --- a/scripts/hostclass/public_webserver +++ b/scripts/hostclass/public_webserver @@ -14,6 +14,10 @@ pkg install -y \ # Create ZFS dataset for webroots. create_dataset -o "mountpoint=${vhosts_dir}" "${state_dataset}/vhosts" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/vhosts" # Configure nginx. install_template -m 0644 /usr/local/etc/nginx/nginx.conf diff --git a/scripts/hostclass/smtp_server/10-rspamd b/scripts/hostclass/smtp_server/10-rspamd index 7b1aae9..215788b 100644 --- a/scripts/hostclass/smtp_server/10-rspamd +++ b/scripts/hostclass/smtp_server/10-rspamd @@ -33,6 +33,10 @@ pkg install -y \ # Create ZFS dataset for Redis DBs. create_dataset -o "mountpoint=${redis_data_dir}" "${state_dataset}/redis" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/redis" # Generate config files for redis instances. install_template -m 0644 \ diff --git a/scripts/hostclass/unifi_controller b/scripts/hostclass/unifi_controller index 32df063..9fd161e 100644 --- a/scripts/hostclass/unifi_controller +++ b/scripts/hostclass/unifi_controller @@ -11,6 +11,10 @@ pkg install -y unifi8 # Create ZFS dataset for unifi data. create_dataset -o "mountpoint=${unifi_home}/data" "${state_dataset}/unifi" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/unifi" # Set ownership on unifi data dir. install_directory -o "$unifi_user" -g "$unifi_user" -m 0700 "${unifi_home}/data" diff --git a/scripts/hostclass/znc_server b/scripts/hostclass/znc_server index 58f1d8a..e2c2fa6 100644 --- a/scripts/hostclass/znc_server +++ b/scripts/hostclass/znc_server @@ -18,6 +18,10 @@ pkg install -y \ # Create ZFS dataset for ZNC configs. create_dataset -o "mountpoint=${znc_home}" "${state_dataset}/znc" +zfs set \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${state_dataset}/znc" # Set ownership on ZNC dir. install_directory -o "$znc_user" -g "$znc_user" -m 0755 "$znc_home" diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs index f2cd25c..3a6d923 100644 --- a/scripts/hostname/nfs1/10-homedirs +++ b/scripts/hostname/nfs1/10-homedirs @@ -14,6 +14,9 @@ for userquota in ${nfs_homedirs:-}; do zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/user/${user}/priv" zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/user/${user}/pub" + zfs set 'com.sun:auto-snapshot=true' \ + "${nfs_dataset}/user/${user}/priv" \ + "${nfs_dataset}/user/${user}/pub" chown "${user}:${user}" \ "${nfs_root}/user/${user}/priv" \ @@ -34,6 +37,9 @@ for groupquota in ${nfs_groupdirs:-}; do zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/group/${group}/priv" zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/group/${group}/pub" + zfs set 'com.sun:auto-snapshot=true' \ + "${nfs_dataset}/group/${group}/priv" \ + "${nfs_dataset}/group/${group}/pub" chown "root:${group}" \ "${nfs_root}/group/${group}/priv" \ diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares index ef013cc..beb3b11 100644 --- a/scripts/hostname/nfs1/20-shares +++ b/scripts/hostname/nfs1/20-shares @@ -2,6 +2,11 @@ # media/music create_dataset -p "${nfs_dataset}/media/music" +zfs set \ + compression=off \ + com.sun:auto-snapshot:daily=true \ + com.sun:auto-snapshot:weekly=true \ + "${nfs_dataset}/media/music" chgrp media-admin "${nfs_root}/media/music" chmod 2770 "${nfs_root}/media/music" set_facl "${nfs_root}/media/music" \ diff --git a/scripts/os/80-zfs b/scripts/os/80-zfs new file mode 100644 index 0000000..1a24852 --- /dev/null +++ b/scripts/os/80-zfs @@ -0,0 +1 @@ +#!/bin/sh diff --git a/scripts/os/freebsd/20-zfs b/scripts/os/freebsd/20-zfs index 1cdc465..5d86df4 100644 --- a/scripts/os/freebsd/20-zfs +++ b/scripts/os/freebsd/20-zfs @@ -7,5 +7,5 @@ create_dataset -o mountpoint=none "$state_dataset" # If this is baremetal host or a VM, trim the zpools periodically. if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then - install_file -m 0644 /etc/cron.d/zfs-trim + install_file -m 0644 /etc/cron.d/zfs fi diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index ab7c2fd..1585c6f 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -15,14 +15,20 @@ pkg install -y \ pam_krb5 \ perl5 \ p5-perl-ldap \ - p5-Authen-SASL + p5-Authen-SASL \ + pam_mkhomedir # Configure PAM/NSS integration. install_file -m 0644 \ /etc/nsswitch.conf \ + /etc/pam.d/system \ /etc/pam.d/login \ /etc/pam.d/sshd \ - /etc/pam.d/sudo + /etc/pam.d/sudo \ + /etc/pam.d/su \ + /etc/pam.d/other + +install_template -m 0644 /etc/login.access install_template -m 0644 \ /etc/krb5.conf \ @@ -30,6 +36,13 @@ install_template -m 0644 \ /usr/local/etc/openldap/ldap.conf \ /usr/local/etc/nslcd.conf +# Ensure /home exists and configure skel files. +install_directory -m 0755 /home +install_file -m 0644 \ + /usr/share/skel/dot.login \ + /usr/share/skel/dot.profile \ + /usr/share/skel/dot.shrc + # Create ldap.conf symlink. ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf diff --git a/scripts/os/freebsd/90-snapshots b/scripts/os/freebsd/90-snapshots new file mode 100644 index 0000000..fce9c34 --- /dev/null +++ b/scripts/os/freebsd/90-snapshots @@ -0,0 +1,10 @@ +#!/bin/sh + +# Don't run autosnapshot within jails. Otherwise we will create duplicate +# snapshots with the host system. +if [ "$BOXCONF_VIRTUALIZATION_TYPE" = jail ]; then + return 0 +fi + +pkg install -y zfstools +install_file -m 0644 /etc/cron.d/zfs-autosnapshot -- cgit v1.2.3