another batch of updates (#572)

- i/mta: quieter sysrc check
- i/shell: quieter editing
- haproxy: add lo1 IP to pf allow
- haraka: node 18 -> 20
- host: add pf rules for dhcp, IPv6 routing, and NTP
- mt: added "provision web" target
- mt: disable TOASTER_AUDIT by default 
- roundcube: drop PHP ver to 8.2

include/mta.sh

@@ -66,7 +66,7 @@ disable_sendmail()
 	local _periodic="sysrc -f $_base/etc/periodic.conf"
 	for _c in daily_clean_hoststat_enable daily_status_mail_rejects_enable daily_status_include_submit_mailq daily_submit_queuerun;
 	do
-		if [ "$($_periodic -n $_c)" != "NO" ]; then $_periodic $_c=NO; fi
+		if [ "$($_periodic -i -n $_c)" != "NO" ]; then $_periodic $_c=NO; fi
 	done
 }
 

include/shell.sh

@@ -56,7 +56,7 @@ configure_bourne_shell()
 	_f="$1/etc/profile.d/toaster.sh"
 	if ! grep -qs ^PS1 "$_f"; then
 		tell_status "customizing bourne shell prompt"
-		tee -a "$_f" <<'EO_BOURNE_SHELL'
+		cat <<'EO_BOURNE_SHELL' > "$_f"
 alias h='fc -l'
 alias m=$PAGER
 alias ll="ls -alFG"
@@ -78,9 +78,7 @@ EO_BOURNE_SHELL
 	fi
 
 	if ! grep -qs profile "/root/.profile"; then
-		tee -a "/root/.profile" <<EO_INCL
-. /etc/profile
-EO_INCL
+		echo ". /etc/profile" >> "/root/.profile"
 	fi
 }
 
@@ -93,7 +91,7 @@ configure_csh_shell()
 	fi
 
 	tell_status "configure C shell"
-	tee -a "$_cshrc" <<'EO_CSHRC'
+	cat <<'EO_CSHRC' > "$_cshrc"
 alias h         history 25
 alias j         jobs -l
 alias la        ls -aF

mail-toaster.sh

@@ -24,14 +24,14 @@ store_config()
 	# $1 - path to config file, $2 - overwrite, STDIN is file contents
 	if [ ! -d "$(dirname $1)" ]; then
 		tell_status "creating $(dirname $1)"
-		mkdir -p "$(dirname $1)" || exit 1
+		mkdir -p "$(dirname $1)"
 	fi
 
-	cat - > "$1.mt6" || exit 1
+	cat - > "$1.mt6"
 
 	if [ ! -f "$1" ] || [ -n "$2" ]; then
 		tell_status "installing $1"
-		cp "$1.mt6" "$1" || exit 1
+		cp "$1.mt6" "$1"
 	else
 		tell_status "preserving $1"
 	fi
@@ -80,7 +80,7 @@ export TOASTER_MSA="haraka"
 export TOASTER_MYSQL="1"
 export TOASTER_MYSQL_PASS=""
 export TOASTER_NRPE=""
-export TOASTER_PKG_AUDIT="1"
+export TOASTER_PKG_AUDIT="0"
 export TOASTER_PKG_BRANCH="latest"
 export TOASTER_USE_TMPFS="0"
 export TOASTER_VPOPMAIL_CLEAR="1"
@@ -178,7 +178,7 @@ export TOASTER_MYSQL=${TOASTER_MYSQL:="1"}
 export TOASTER_MARIADB=${TOASTER_MARIADB:="0"}
 export TOASTER_NTP=${TOASTER_NTP:="ntp"}
 export TOASTER_MSA=${TOASTER_MSA:="haraka"}
-export TOASTER_PKG_AUDIT=${TOASTER_PKG_AUDIT:="1"}
+export TOASTER_PKG_AUDIT=${TOASTER_PKG_AUDIT:="0"}
 export TOASTER_PKG_BRANCH=${TOASTER_PKG_BRANCH:="latest"}
 export TOASTER_USE_TMPFS=${TOASTER_USE_TMPFS:="0"}
 export TOASTER_VPOPMAIL_CLEAR=${TOASTER_VPOPMAIL_CLEAR:="1"}
@@ -1100,6 +1100,8 @@ provision()
 
 	case "$1" in
 		host)   fetch_and_exec "$1"; return;;
+		web)    for _j in haproxy webmail roundcube snappymail; do fetch_and_exec "$_j"; done
+			return;;
 		mt6)    provision_mt6; return;;
 	esac
 

provision/dcc.sh

@@ -55,8 +55,8 @@ configure_dcc()
 
 	_pf_etc="$ZFS_DATA_MNT/dcc/etc/pf.conf.d"
 	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
-pass in quick proto udp from any port 6277 to $(get_jail_ip  dcc)
-pass in quick proto udp from any port 6277 to $(get_jail_ip6 dcc)
+table <dcc_server> { \$ext_ip4 \$ext_ip6 $(get_jail_ip dcc) $(get_jail_ip6 dcc) }
+pass in quick proto udp from any port 6277 to <dcc_server>
 EO_PF_ALLOW
 
 	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR

provision/dovecot.sh

@@ -523,6 +523,7 @@ configure_dovecot_pf()
 
 	store_config "$_pf_etc/insecure_mua" <<EO_PF_INSECURE
 # 10.0.0.0/8
+# 172.16.0.0/12
 # 192.168.0.0/16
 EO_PF_INSECURE
 
@@ -539,7 +540,7 @@ EO_PF_RDR
 
 	store_config "$_pf_etc/allow.conf" <<EO_PF_RDR
 mua_ports = "{ 110 143 993 995 }"
-table <mua_servers> persist { $(get_jail_ip dovecot), $(get_jail_ip6 dovecot) }
+table <mua_servers> persist { \$ext_ip4 \$ext_ip6 $(get_jail_ip dovecot) $(get_jail_ip6 dovecot) }
 pass in quick proto tcp from any to <mua_servers> port \$mua_ports
 EO_PF_RDR
 }

provision/haproxy.sh

@@ -335,13 +335,16 @@ configure_haproxy()
 
 	_pf_etc="$ZFS_DATA_MNT/haproxy/etc/pf.conf.d"
 	store_config "$_pf_etc/rdr.conf" <<EO_PF
-rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> $(get_jail_ip  haproxy)
+rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> $(get_jail_ip haproxy)
 rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> $(get_jail_ip6 haproxy)
 EO_PF
 
+	get_public_ip
+	get_public_ip ipv6
+
 	store_config "$_pf_etc/allow.conf" <<EO_PF
-pass in quick inet  proto tcp from any to <ext_ip4> port { 80 443 }
-pass in quick inet6 proto tcp from any to <ext_ip6> port { 80 443 }
+table <http_servers> { $PUBLIC_IP4 $PUBLIC_IP6 $(get_jail_ip haproxy) $(get_jail_ip6 haproxy) }
+pass in quick proto tcp from any to <http_servers> port { 80 443 }
 EO_PF
 
 	configure_haproxy_tls

provision/haraka.sh

@@ -14,7 +14,7 @@ HARAKA_CONF="$ZFS_DATA_MNT/haraka/config"
 install_haraka()
 {
 	tell_status "installing node & npm"
-	stage_pkg_install npm-node18 gmake pkgconf git-tiny
+	stage_pkg_install npm-node20 gmake pkgconf git-tiny
 	if [ "$BOURNE_SHELL" != "bash" ]; then
 		tell_status "Install bash since not in base"
 		stage_pkg_install bash
@@ -396,7 +396,7 @@ configure_haraka_smtp_ini()
 		"$HARAKA_CONF/smtp.ini"
 }
 
-configure_haraka_outbound_ini
+configure_haraka_outbound_ini()
 {
 	if [ ! -f "$HARAKA_CONF/outbound.ini" ]; then
 		configure_install_default outbound.ini

provision/host.sh

@@ -329,13 +329,17 @@ add_jail_nat()
 ## Macros
 
 ext_if="$PUBLIC_NIC"
-table <ext_ip4> { $PUBLIC_IP4 }
-table <ext_ip6> { $PUBLIC_IP6 }
+ext_ip4="$PUBLIC_IP4"
+ext_ip6="$PUBLIC_IP6"
+
+table <ext_ip>  { \$ext_ip4 \$ext_ip6 } persist
+table <ext_ip4> { \$ext_ip4 } persist
+table <ext_ip6> { \$ext_ip6 } persist
 
 table <bruteforce> persist
 table <sshguard> persist
 
-## Translation / NAT
+## NAT / Network Address Translation
 
 # default route to the internet for jails
 nat on \$ext_if inet  from $JAIL_NET_PREFIX.0${JAIL_NET_MASK} to any -> (\$ext_if)
@@ -347,7 +351,7 @@ nat-anchor "nat/*"
 
 rdr-anchor "rdr/*"
 
-## Filtering rules
+## Filtering
 
 # block everything by default. Be careful!
 #block in log on \$ext_if
@@ -356,6 +360,18 @@ block in quick from <bruteforce>
 
 block in quick proto tcp from <sshguard> to any port ssh
 
+# DHCP
+pass in inet  proto udp from port 67 to port 68
+pass in inet6 proto udp from port 547 to port 546
+
+# IPv6 routing
+pass in inet6 proto ipv6-icmp icmp6-type 134
+pass in inet6 proto ipv6-icmp icmp6-type 135
+pass in inet6 proto ipv6-icmp icmp6-type 136
+
+# NTP
+pass out quick on \$ext_if proto udp to any port ntp keep state
+
 pass  in quick on \$ext_if proto tcp to port ssh \
         flags S/SA synproxy state \
         (max-src-conn 10, max-src-conn-rate 8/15, overload <bruteforce> flush global)

provision/roundcube.sh

@@ -12,7 +12,7 @@ mt6-include php
 mt6-include nginx
 mt6-include mysql
 
-PHP_VER="83"
+PHP_VER="82"
 
 mysql_error_warning()
 {

provision/wildduck.sh

@@ -56,13 +56,15 @@ configure_pf()
 	_pf_etc="$ZFS_DATA_MNT/wildduck/etc/pf.conf.d"
 
 	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
-rdr proto tcp from any to <ext_ip4> port 993 -> $(get_jail_ip  wildduck) port 9993
-rdr proto tcp from any to <ext_ip4> port 995 -> $(get_jail_ip  wildduck) port 9995
+rdr inet  proto tcp from any to <ext_ip4> port 993 -> $(get_jail_ip wildduck) port 9993
+rdr inet  proto tcp from any to <ext_ip4> port 995 -> $(get_jail_ip wildduck) port 9995
+rdr inet6 proto tcp from any to <ext_ip6> port 993 -> $(get_jail_ip6 wildduck) port 9993
+rdr inet6 proto tcp from any to <ext_ip6> port 995 -> $(get_jail_ip6 wildduck) port 9995
 EO_PF_RDR
 
 	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
 mua_ports = "{ 993 995 9993 9995 }"
-table <mua_servers> persist { $(get_jail_ip wildduck), $(get_jail_ip6 wildduck) }
+table <mua_servers> persist { \$ext_ip4 \$ext_ip6 $(get_jail_ip wildduck), $(get_jail_ip6 wildduck) }
 pass in quick proto tcp from any to <mua_servers> port \$mua_ports
 EO_PF_ALLOW
 }