appliances-old/privacyidea/Makefile

preinstall:
	# hardcoded users and groups
	$(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix
	$(inroot) useradd --system --comment="created from appliance building - freeradius user" --home-dir="/var/log/radius" --shell="/sbin/nologin" --no-create-home --uid 604 --user-group radius
	$(inroot) useradd --system --comment="created from appliance building - privacyidea user" --home-dir="/var/lib/privacyidea/home" --shell="/sbin/nologin" --no-create-home --uid 605 --user-group privacyidea
	# switch to hardened, build hardened toolchain, rebuild everything
	mkdir -p $(CHROOT)/etc/portage/profile
	echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
	$(inroot) $(EMERGE) $(USEPKG) --oneshot gcc
	$(inroot) $(EMERGE) $(USEPKG) --oneshot binutils virtual/libc
	-$(gcc_config)
	$(inroot) $(EMERGE) $(USEPKG) --emptytree @world
	$(inroot) bash -c 'yes YES | etc-update --automode -9'

postinstall: base/timesyncd.conf base/firstboot.start
	# Konfigurationen anpassen
	cp base/timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
	mkdir -p $(CHROOT)/etc/local.d
	cp base/firstboot.start $(CHROOT)/etc/local.d/firstboot.start
	touch $(CHROOT)/firstboot
	sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
	sed -i 's#^auth.*$$#auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys\nauth    include         system-auth#' $(CHROOT)/etc/pam.d/sudo
	echo "Defaults   env_keep += SSH_AUTH_SOCK" > $(CHROOT)/etc/sudoers.d/ssh_auth_sock
	$(inroot) useradd -m -G users,wheel -s /bin/bash --comment="virtual appliance admin" --uid 2000 admin
	$(inroot) passwd -d admin; $(inroot) passwd -e admin
	$(inroot) systemctl enable tmux@root.service
	cp base/tmux.conf $(CHROOT)/root/.tmux.conf

	# Beispiel feste IP-Adresse
	cp base/00-eth0.network $(CHROOT)/00-eth0.network.example

	# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
	sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
	chmod 0600 $(CHROOT)/root/.my.cnf
	rm -rf $(CHROOT)/var/lib/mysql/*
	$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'

	# Apache-/PHP-Konfiguration
	sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2
	cp apache/00_default_ssl_vhost.conf $(CHROOT)/etc/apache2/vhosts.d/
	$(inroot) systemctl enable apache2

	# privacyIDEA Konfiguration (eigene Voreinstellungen)
	cp privacyidea/enckey $(CHROOT)/etc/privacyidea/
	cp privacyidea/pi.cfg $(CHROOT)/etc/privacyidea/
	cp privacyidea/private.pem $(CHROOT)/etc/privacyidea/
	cp privacyidea/public.pem $(CHROOT)/etc/privacyidea/
	mkdir $(CHROOT)/etc/privacyidea/CA
	cp privacyidea/openssl.cnf $(CHROOT)/etc/privacyidea/CA/
	$(inroot) chown -R privacyidea:root /etc/privacyidea
	chmod 600 $(CHROOT)/etc/privacyidea/enckey
	chmod 600 $(CHROOT)/etc/privacyidea/private.pem
	touch $(CHROOT)/var/log/privacyidea/privacyidea.log
	$(inroot) chown privacyidea:root /var/log/privacyidea/privacyidea.log

	# FreeRADIUS-Konfiguration
	mv $(CHROOT)/etc/raddb/dictionary $(CHROOT)/etc/raddb/dictionary.orig
	cp $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/
	$(inroot) chown root:radius /etc/raddb/dictionary
	chmod 640 $(CHROOT)/etc/raddb/dictionary
	cp $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea $(CHROOT)/etc/raddb/mods-available/perl-privacyidea
	ln -s ../mods-available/perl-privacyidea $(CHROOT)/etc/raddb/mods-enabled/perl-privacyidea
	cp $(CHROOT)/etc/privacyidea/freeradius3/privacyidea $(CHROOT)/etc/raddb/sites-available/
	$(inroot) chown root:radius /etc/raddb/sites-available/privacyidea
	chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea
	rm $(CHROOT)/etc/raddb/mods-enabled/eap
	rm $(CHROOT)/etc/raddb/sites-enabled/*
	ln -s ../sites-available/privacyidea $(CHROOT)/etc/raddb/sites-enabled/privacyidea
	$(inroot) systemctl enable freeradius

clean:
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`preinstall:`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`# hardcoded users and groups`
			`$(inroot) useradd --system --comment="created from appliance building - zabbix user" --home-dir="/var/lib/zabbix/home" --shell="/sbin/nologin" --no-create-home --uid 600 --user-group zabbix`
			`$(inroot) useradd --system --comment="created from appliance building - freeradius user" --home-dir="/var/log/radius" --shell="/sbin/nologin" --no-create-home --uid 604 --user-group radius`
			`$(inroot) useradd --system --comment="created from appliance building - privacyidea user" --home-dir="/var/lib/privacyidea/home" --shell="/sbin/nologin" --no-create-home --uid 605 --user-group privacyidea`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`# switch to hardened, build hardened toolchain, rebuild everything`
			`mkdir -p $(CHROOT)/etc/portage/profile`
			`echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask`
			`$(inroot) $(EMERGE) $(USEPKG) --oneshot gcc`
			`$(inroot) $(EMERGE) $(USEPKG) --oneshot binutils virtual/libc`
			`-$(gcc_config)`
			`$(inroot) $(EMERGE) $(USEPKG) --emptytree @world`
			`$(inroot) bash -c 'yes YES \| etc-update --automode -9'`

privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`postinstall: base/timesyncd.conf base/firstboot.start`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`# Konfigurationen anpassen`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`cp base/timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf`
privacyIDEA: use gentoo kernel (hardened is unsupported), updates 2018-09-16 10:00:30 +02:00			`mkdir -p $(CHROOT)/etc/local.d`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`cp base/firstboot.start $(CHROOT)/etc/local.d/firstboot.start`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`touch $(CHROOT)/firstboot`
			`sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers`
privacyidea: add letsencrypt, sudo ssh forward 2020-02-24 16:57:00 +01:00			`sed -i 's#^auth.*$$#auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys\nauth include system-auth#' $(CHROOT)/etc/pam.d/sudo`
			`echo "Defaults env_keep += SSH_AUTH_SOCK" > $(CHROOT)/etc/sudoers.d/ssh_auth_sock`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`$(inroot) useradd -m -G users,wheel -s /bin/bash --comment="virtual appliance admin" --uid 2000 admin`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`$(inroot) passwd -d admin; $(inroot) passwd -e admin`
privacyidea: big update (pi3, python3, ...) 2019-11-28 20:02:11 +01:00			`$(inroot) systemctl enable tmux@root.service`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`cp base/tmux.conf $(CHROOT)/root/.tmux.conf`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00
			`# Beispiel feste IP-Adresse`
privacyidea: hardcoded user ids, using the new makefile 2020-02-15 18:08:26 +01:00			`cp base/00-eth0.network $(CHROOT)/00-eth0.network.example`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00
privacyidea: Update, build changes 2019-07-07 13:54:56 +02:00			`# MariaDB-Konfiguration ($$, weil make ein $ entfernt)`
privacyidea: mariadb configuration updates 2020-02-19 10:39:21 +01:00			`sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
			`echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf`
			`chmod 0600 $(CHROOT)/root/.my.cnf`
			`rm -rf $(CHROOT)/var/lib/mysql/*`
			`$(inroot) bash -c 'yes gentoo \| emerge --config dev-db/mariadb'`

			`# Apache-/PHP-Konfiguration`
			`sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2`
			`cp apache/00_default_ssl_vhost.conf $(CHROOT)/etc/apache2/vhosts.d/`
			`$(inroot) systemctl enable apache2`

			`# privacyIDEA Konfiguration (eigene Voreinstellungen)`
			`cp privacyidea/enckey $(CHROOT)/etc/privacyidea/`
			`cp privacyidea/pi.cfg $(CHROOT)/etc/privacyidea/`
			`cp privacyidea/private.pem $(CHROOT)/etc/privacyidea/`
			`cp privacyidea/public.pem $(CHROOT)/etc/privacyidea/`
privacyidea: big update (pi3, python3, ...) 2019-11-28 20:02:11 +01:00			`mkdir $(CHROOT)/etc/privacyidea/CA`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`cp privacyidea/openssl.cnf $(CHROOT)/etc/privacyidea/CA/`
			`$(inroot) chown -R privacyidea:root /etc/privacyidea`
			`chmod 600 $(CHROOT)/etc/privacyidea/enckey`
			`chmod 600 $(CHROOT)/etc/privacyidea/private.pem`
			`touch $(CHROOT)/var/log/privacyidea/privacyidea.log`
			`$(inroot) chown privacyidea:root /var/log/privacyidea/privacyidea.log`

			`# FreeRADIUS-Konfiguration`
privacyidea: update v3.2.2 2020-02-13 12:05:26 +01:00			`mv $(CHROOT)/etc/raddb/dictionary $(CHROOT)/etc/raddb/dictionary.orig`
			`cp $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/`
privacyIDEA: Netknights Radius dictionary hinzugefügt 2017-09-12 09:28:04 +02:00			`$(inroot) chown root:radius /etc/raddb/dictionary`
			`chmod 640 $(CHROOT)/etc/raddb/dictionary`
privacyidea: update v3.2.2 2020-02-13 12:05:26 +01:00			`cp $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea $(CHROOT)/etc/raddb/mods-available/perl-privacyidea`
			`ln -s ../mods-available/perl-privacyidea $(CHROOT)/etc/raddb/mods-enabled/perl-privacyidea`
			`cp $(CHROOT)/etc/privacyidea/freeradius3/privacyidea $(CHROOT)/etc/raddb/sites-available/`
			`$(inroot) chown root:radius /etc/raddb/sites-available/privacyidea`
			`chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea`
privacyIDEA: initial commit 2017-07-26 21:31:31 +02:00			`rm $(CHROOT)/etc/raddb/mods-enabled/eap`
			`rm $(CHROOT)/etc/raddb/sites-enabled/*`
			`ln -s ../sites-available/privacyidea $(CHROOT)/etc/raddb/sites-enabled/privacyidea`
			`$(inroot) systemctl enable freeradius`

			`clean:`