postfix: fix stage path

- dns: create dns/control - rsnapshot: move * outside of quotes so glob works - unifi: install v8 - unifi: v8 wants openjdk17 - postfix: use port installed newaliases cmd - vpopmail: switch back to port build - vpopmail: install gmake port sooner - mt: remove lesser known / deprecated opts - mt: use safe name for jails .conf file - dcc: add PF rdr and allow rules - dovecot & mongo: add sysvipc to START_EXTRA
msimerson · Mar 13, 2024 · c80b70d · c80b70d
1 parent c4d1971
commit c80b70d
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 25 deletions.
diff --git a/mail-toaster.sh b/mail-toaster.sh
@@ -77,26 +77,21 @@ export JAIL_NET6="$(get_random_ip6net)"
 export ZFS_VOL="zroot"
 export ZFS_JAIL_MNT="/jails"
 export ZFS_DATA_MNT="/data"
-export TOASTER_MARIADB="0"
 export TOASTER_MSA="haraka"
 export TOASTER_MYSQL="1"
 export TOASTER_MYSQL_PASS=""
 export TOASTER_NRPE=""
 export TOASTER_PKG_AUDIT="0"
 export TOASTER_PKG_BRANCH="latest"
-export TOASTER_QMHANDLE="0"
-export TOASTER_SENTRY=""
 export TOASTER_USE_TMPFS="0"
 export TOASTER_VPOPMAIL_CLEAR="1"
 export TOASTER_VPOPMAIL_EXT="0"
 export CLAMAV_FANGFRISCH="0"
-export CLAMAV_UNOFFICIAL="0"
 export MAXMIND_LICENSE_KEY=""
 export ROUNDCUBE_SQL="0"
 export ROUNDCUBE_DEFAULT_HOST=""
 export ROUNDCUBE_PRODUCT_NAME="Roundcube Webmail"
 export ROUNDCUBE_ATTACHMENT_SIZE_MB="25"
-export SQUIRREL_SQL="0"
 
 EO_MT_CONF
 
@@ -480,21 +475,22 @@ get_safe_jail_path()
 
 add_jail_conf_d()
 {
+	_safe_path="/etc/jail.conf.d/$(safe_jailname $1).conf"
 	if [ -f "/etc/jail.conf.d/$1.conf" ]; then
-		tell_status "preserving jail config /etc/jail.conf.d/$1.conf"
+		tell_status "preserving jail config $_safe_path"
 		return
 	fi
 
-	tell_status "creating /etc/jail.conf.d/$1.conf"
+	tell_status "creating $_safe_path"
 	echo "$(jail_conf_header)
 
-$1	{$(get_safe_jail_path $1)
-		mount.fstab = \"$ZFS_DATA_MNT/$1/etc/fstab\";
+$(safe_jailname $1)	{$(get_safe_jail_path $1)
+		mount.fstab = \"\$path/etc/fstab\";
 		ip4.addr = $JAIL_NET_INTERFACE|${_jail_ip};
 		ip6.addr = $JAIL_NET_INTERFACE|$(get_jail_ip6 $1);${JAIL_CONF_EXTRA}
-		exec.created = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh load\";
-		exec.poststop = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh unload\";
-	}" | tee -a /etc/jail.conf.d/$1.conf
+		exec.created = \"\$path/etc/pf.conf.d/pfrule.sh load\";
+		exec.poststop = \"\$path/etc/pf.conf.d/pfrule.sh unload\";
+	}" | tee -a $_safe_path
 }
 
 add_automount()

diff --git a/provision/dcc.sh b/provision/dcc.sh
@@ -53,6 +53,18 @@ configure_dcc()
 		-e '/^DCCM_REJECT_AT/ s/=.*/=MANY/' \
 		-e "/^DCCIFD_ARGS/ s/-SList-ID\"/-SList-ID -p*,1025,$JAIL_NET_PREFIX.0\/24\"/" \
 		"$STAGE_MNT/var/db/dcc/dcc_conf"
+
+	_pf_etc="$ZFS_DATA_MNT/dcc/etc/pf.conf.d"
+	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
+pass in quick proto udp from any port 6277 to $(get_jail_ip  dcc)
+pass in quick proto udp from any port 6277 to $(get_jail_ip6 dcc)
+EO_PF_ALLOW
+
+	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
+rdr inet  proto tcp from any to <ext_ip4> port 6277 -> $(get_jail_ip  dcc)
+rdr inet6 proto tcp from any to <ext_ip6> port 6277 -> $(get_jail_ip6 dcc)
+EO_PF_RDR
+
 }
 
 start_dcc()

diff --git a/provision/dns.sh b/provision/dns.sh
@@ -107,6 +107,10 @@ enable_control()
 		return
 	fi
 
+	tell_status "creating $ZFS_DATA_MNT/dns/control"
+	mkdir "$ZFS_DATA_MNT/dns/control" || exit
+
+	tell_status "configuring unbound-control"
 	tee "$ZFS_DATA_MNT/dns/control.conf" <<EO_CONTROL_CONF
 		control-enable: yes
 		control-interface: 0.0.0.0

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
@@ -2,6 +2,7 @@
 
 . mail-toaster.sh || exit
 
+export JAIL_START_EXTRA="allow.sysvipc=1"
 export JAIL_FSTAB="$ZFS_DATA_MNT/vpopmail/home $ZFS_JAIL_MNT/dovecot/usr/local/vpopmail nullfs rw 0 0"
 
 mt6-include vpopmail
@@ -639,7 +640,7 @@ base_snapshot_exists || exit
 create_staged_fs dovecot
 mkdir -p "$STAGE_MNT/usr/local/vpopmail"
 start_staged_jail dovecot
-allow_sysvipc_stage
+#allow_sysvipc_stage
 install_dovecot
 configure_dovecot
 stage_resolv_conf

diff --git a/provision/mongodb.sh b/provision/mongodb.sh
@@ -2,8 +2,9 @@
 
 . mail-toaster.sh || exit
 
-export JAIL_START_EXTRA=""
+export JAIL_START_EXTRA="allow.sysvipc=1 allow.mlock=1"
 export JAIL_CONF_EXTRA="
+		allow.raw_sockets;
 		allow.sysvipc;
 		allow.mlock;"
 

diff --git a/provision/postfix.sh b/provision/postfix.sh
@@ -80,15 +80,15 @@ configure_postfix()
 	if [ -f "$ZFS_JAIL_MNT/postfix/etc/aliases" ]; then
 		tell_status "preserving /etc/aliases"
 		cp "$ZFS_JAIL_MNT/postfix/etc/aliases" "$STAGE_MNT/etc/aliases"
-		stage_exec /usr/bin/newaliases
+		stage_exec /usr/local/bin/newaliases
 	elif [ -f "$ZFS_DATA_MNT/postfix/etc/aliases" ]; then
 		cp "$ZFS_DATA_MNT/postfix/etc/aliases" "$STAGE_MNT/etc/aliases"
-		stage_exec /usr/bin/newaliases
+		stage_exec /usr/local/bin/newaliases
 	fi
 
-	if [ ! -f "$ZFS_JAIL_MNT/usr/local/etc/mail/mailer.conf" ]; then
-		if [ ! -d "$ZFS_JAIL_MNT/usr/local/etc/mail" ]; then
-			mkdir "$ZFS_JAIL_MNT/usr/local/etc/mail" || exit 1
+	if [ ! -f "$STAGE_MNT/usr/local/etc/mail/mailer.conf" ]; then
+		if [ ! -d "$STAGE_MNT/usr/local/etc/mail" ]; then
+			mkdir -p "$STAGE_MNT/usr/local/etc/mail"
 		fi
 		stage_exec install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
 	fi

diff --git a/provision/rsnapshot.sh b/provision/rsnapshot.sh
@@ -47,7 +47,7 @@ EO_RSNAP
 		if [ ! -d "$STAGE_MNT/root/.ssh" ]; then
 			umask 0077; mkdir "$STAGE_MNT/root/.ssh"; umask 0022;
 		fi
-		cp "$ZFS_DATA_MNT/rsnapshot/ssh/*" "$STAGE_MNT/root/.ssh" || exit 1
+		cp "$ZFS_DATA_MNT/rsnapshot/ssh/"* "$STAGE_MNT/root/.ssh/" || exit 1
 	fi
 }
 

diff --git a/provision/unifi.sh b/provision/unifi.sh
@@ -11,10 +11,10 @@ proc     /jails/unifi/proc   procfs  rw 0 0"
 install_unifi()
 {
 	tell_status "installing Unifi deps"
-	stage_pkg_install mongodb44 openjdk11 snappyjava gmake || exit
+	stage_pkg_install mongodb44 openjdk17 snappyjava gmake || exit
 
 	tell_status "installing Unifi"
-	stage_port_install net-mgmt/unifi7 || exit
+	stage_port_install net-mgmt/unifi8 || exit
 
 	tell_status "Enable UniFi"
 	stage_sysrc unifi_enable=YES

diff --git a/provision/vpopmail.sh b/provision/vpopmail.sh
@@ -120,7 +120,6 @@ mail_qmailadmin_UNSET=CATCHALL CRACKLIB IDX_SQL SPAM_DETECTION SPAM_NEEDS_EMAIL
 
 	export WEBDATADIR=www/data CGIBINDIR=www/cgi-bin CGIBINSUBDIR=qmailadmin SPAM_COMMAND="| /usr/local/bin/maildrop /usr/local/etc/mail/mailfilter"
 
-	stage_port_install devel/gmake || exit
 	stage_port_install mail/qmailadmin || exit
 
 	install_lighttpd
@@ -247,8 +246,10 @@ install_vpopmail()
 	tell_status "installing vpopmail package"
 	stage_pkg_install vpopmail || exit
 
-	# install_vpopmail_port
-	install_vpopmail_source
+	stage_port_install devel/gmake || exit
+
+	install_vpopmail_port
+	#install_vpopmail_source
 	if [ "$TOASTER_MYSQL" = "1" ]; then
 		install_vpopmail_mysql_grants
 		install_vpopmail_mysql_aliastable