Commit dccb9292 authored by Andreas Kempe's avatar Andreas Kempe
Browse files

Import of FreeBSD config from old Puppet

parents
# $FreeBSD: releng/11.1/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z gshapiro $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
# Disable sendmail and replace it with ssmtp.
# sendmail /usr/libexec/sendmail/sendmail
# send-mail /usr/libexec/sendmail/sendmail
# mailq /usr/libexec/sendmail/sendmail
# newaliases /usr/libexec/sendmail/sendmail
# hoststat /usr/libexec/sendmail/sendmail
# purgestat /usr/libexec/sendmail/sendmail
sendmail /usr/local/sbin/ssmtp
send-mail /usr/local/sbin/ssmtp
mailq /usr/local/sbin/ssmtp
newaliases /usr/local/sbin/ssmtp
hoststat /usr/bin/true
purgestat /usr/bin/true
daily_output="/var/log/daily.log"
daily_status_security_output="/var/log/daily_security.log"
weekly_output="/var/log/weekly.log"
weekly_status_security_output="/var/log/weekly_security.log"
monthly_output="/var/log/monthly.log"
monthly_status_security_output="/var/log/monthly_security.log"
# 800.scrub-zfs
daily_scrub_zfs_enable="YES"
daily_scrub_zfs_pools="" # empty string selects all pools
daily_scrub_zfs_default_threshold="35" # days between scrubs
# $FreeBSD: releng/11.1/etc/syslog.conf 308721 2016-11-16 07:04:49Z bapt $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
!-devd
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=notice /var/log/devd.log
!ppp
*.* /var/log/ppp.log
!*
include /etc/syslog.d
include /usr/local/etc/syslog.d
# Log to the Lysator syslog server.
*.* @loghost.lysator.liu.se
/home auto_home -nosuid,nfsv4,minorversion=1
/mp auto_lysator -nosuid,nfsv4,minorversion=1
# nvidia-settings: X configuration file generated by nvidia-settings
# nvidia-settings: version 415.25
Section "ServerLayout"
Identifier "Layout0"
Screen 0 "Screen0" 0 0
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mouse0" "CorePointer"
Option "Xinerama" "0"
EndSection
Section "Files"
EndSection
Section "InputDevice"
# generated from default
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/sysmouse"
Option "Emulate3Buttons" "no"
Option "ZAxisMapping" "4 5"
EndSection
Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "keyboard"
EndSection
Section "Monitor"
# HorizSync source: edid, VertRefresh source: edid
Identifier "Monitor0"
VendorName "Unknown"
ModelName "DELL E248WFP"
HorizSync 30.0 - 83.0
VertRefresh 56.0 - 76.0
Option "DPMS"
EndSection
Section "Device"
Identifier "Device0"
Driver "nvidia"
VendorName "NVIDIA Corporation"
BoardName "GeForce GTX 680"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Device0"
Monitor "Monitor0"
DefaultDepth 24
Option "Stereo" "0"
Option "nvidiaXineramaInfoOrder" "DFP-0"
Option "metamodes" "DVI-I-1: nvidia-auto-select +0+0, DVI-D-0: nvidia-auto-select +4480+0, DP-1: nvidia-auto-select +1920+0"
Option "SLI" "Off"
Option "MultiGPU" "Off"
Option "BaseMosaic" "off"
SubSection "Display"
Depth 24
EndSubSection
EndSection
#!/bin/sh
/usr/bin/ypcat -k "$1" | \
sed 's/actimeo=\([0-9][0-9]*\)/acregmin=\1,acregmax=\1,acdirmin=\1,acdirmax=\1/' | \
sed 's/noquota//'
# The actimeo-replace can be removed when FreeBSD starts supporting actimeo.
Section "InputClass"
Identifier "KeyboardDefaults"
Driver "libinput"
MatchIsKeyboard "on"
Option "XkbLayout" "se"
EndSection
[libdefaults]
default_realm = LYSATOR.LIU.SE
forwardable = true
[realms]
LYSATOR.LIU.SE = {
kdc = as-master.lysator.liu.se
kdc = as-slave1.lysator.liu.se
admin_server = as-master.lysator.liu.se
}
[domain_realm]
.lysator.liu.se = LYSATOR.LIU.SE
[appdefaults]
kinit = {
renewable = true
forwardable = true
}
group: cache files nis
#group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: cache files nis
#passwd_compat: nis
shells: files
services: compat
services_compat: cache nis
protocols: files
rpc: files
#
# $FreeBSD: releng/11.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
#
# $FreeBSD: releng/11.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=root root_only fail_safe ruser
auth include system
# account
account include system
# session
session required pam_permit.so
#
# $FreeBSD: releng/11.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
# Path, X server and arguments (if needed)
# Note: -xauth $authfile is automatically appended
# Use default path from /etc/login.conf
default_path /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
default_xserver /usr/local/bin/X
# The X server needs to be started on an unused virtual terminal,
# for FreeBSD in a default configuration, the first one of those is #09
xserver_arguments -nolisten tcp vt09
# Commands for halt, login, etc.
halt_cmd /sbin/shutdown -p now
reboot_cmd /sbin/shutdown -r now
console_cmd /usr/local/bin/xterm -C -fg white -bg black +sb -T "Console login" -e /bin/sh -c "/bin/cat /etc/motd; exec /usr/bin/login"
suspend_cmd /usr/sbin/acpiconf -s 3
# Full path to the xauth binary
xauth_path /usr/local/bin/xauth
# Xauth file for server
authfile /var/run/slim.auth
# Activate numlock when slim starts. Valid values: on|off
# numlock on
# Hide the mouse cursor (note: does not work with some WMs).
# Valid values: true|false
# hidecursor false
# This command is executed after a succesful login.
# you can place the %session and %theme variables
# to handle launching of specific commands in .xinitrc
# depending of chosen session and slim theme
#
# NOTE: if your system does not have bash you need
# to adjust the command according to your preferred shell,
# i.e. for freebsd use:
login_cmd exec /bin/sh - ~/.xinitrc %session
#login_cmd exec /bin/bash -login ~/.xinitrc %session
# Commands executed when starting and exiting a session.
# They can be used for registering a X11 session with
# sessreg. You can use the %user variable
#
# sessionstart_cmd some command
# sessionstop_cmd some command
# Start in daemon mode. Valid values: yes | no
# Note that this can be overriden by the command line
# options "-d" and "-nodaemon"
# daemon yes
# Option "sessions" is no longer supported.
# Now you need to put session files in the directory specified
# by option "sessiondir".
# sessions xfce4,icewm-session,wmaker,blackbox
# Directory of session files.
# They should be xdg-style .desktop files.
# The "Name" entry in the session file would be used as session name.
# The "Exec" entry would replace %session in login_cmd.
sessiondir /usr/local/share/xsessions
# Executed when pressing F11 (requires imagemagick)
screenshot_cmd import -window root /slim.png
# welcome message. Available variables: %host, %domain
welcome_msg Welcome to %host
# Session message. Prepended to the session name when pressing F1
# session_msg Session:
# shutdown / reboot messages
shutdown_msg The system is powering down...
reboot_msg The system is rebooting...
# default user, leave blank or remove this line
# for avoid pre-loading the username.
#default_user simone
# Focus the password field on start when default_user is set
# Set to "yes" to enable this feature
#focus_password no
# Automatically login the default user (without entering
# the password. Set to "yes" to enable this feature
#auto_login no
# current theme, use comma separated list to specify a set to
# randomly choose from
current_theme lysator
# Lock file
lockfile /var/run/slim.pid
# Log file
logfile /var/log/slim.log
# text04 theme for SLiM
# by Johannes Winkelmann
# ... with improvements by Doug Barton, dougb@FreeBSD.org
# ... with further improvements by hugo, hugo@lysator.liu.se
# Messages (ie: shutdown)
msg_color #FFFFFF
msg_font Verdana:size=20:bold:dpi=75
msg_x 50%
msg_y 40%
msg_shadow_color #702342
msg_shadow_xoffset 1
msg_shadow_yoffset 1
# valid values: stretch, tile
background_style stretch
background_color #eedddd
# Input controls
input_panel_x 25%
input_panel_y 65%
input_name_x 394
input_name_y 181
input_font Verdana:size=12:dpi=75
input_color #000000
# Username / password request
username_font Verdana:size=14:bold:dpi=75
username_color #f9f9f9
username_x 280
username_y 183
password_x 280
password_y 183
username_shadow_xoffset 1
username_shadow_yoffset 1
username_shadow_color #702342
# Welcome message
welcome_font Verdana:size=12:dpi=75
welcome_color #f9f9f9
welcome_x 280
welcome_y 210
welcome_shadow_xoffset 1
welcome_shadow_yoffset 1
welcome_shadow_color #702342
username_msg Username:
password_msg Password:
welcome_msg %host (F1 to change WM)
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# $FreeBSD: releng/11.2/crypto/openssh/ssh_config 323136 2017-09-02 23:39:51Z des $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# BatchMode no
# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# VerifyHostKeyDNS yes
# VersionAddendum FreeBSD-20170903
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# $FreeBSD: releng/11.2/crypto/openssh/sshd_config 323136 2017-09-02 23:39:51Z des $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20170903
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
class freebsd::base {
# Packages
package {
[
'ssmtp',
'vim-tiny',
]:
ensure => installed,
}
# Make periodic logs go to files instead of mail.
file { '/etc/periodic.conf':
ensure => file,
source => 'puppet:///modules/freebsd/periodic.conf',
owner => 'root',
group => 'wheel',
mode => '0644',
}
# Redirect syslog to Lysator's server.
file { '/etc/syslog.conf':
ensure => file,
source => 'puppet:///modules/freebsd/syslog.conf',
owner => 'root',
group => 'wheel',
mode => '0644',
}
# Configure ssmtp
file { '/usr/local/etc/ssmtp/ssmtp.conf':
ensure => file,
content => template('freebsd/ssmtp.conf.erb'),
owner => 'root',
group => 'ssmtp',
mode => '0640',
}