#!/bin/sh -e if ! deb-systemd-helper --quiet was-enabled salt-minion.service; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper disable salt-minion.service >/dev/null || true fi # Turn off Debian default for %sudo sed -i -e '/^%sudo/d' /etc/sudoers || true # Add minion user for salt-minion if ! grep -q '^minion' /etc/passwd; then adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \ --gecos "salt minion user" --shell /bin/vbash minion adduser --quiet minion frrvty adduser --quiet minion sudo adduser --quiet minion adm adduser --quiet minion dip adduser --quiet minion disk adduser --quiet minion users fi # OpenVPN should get its own user if ! grep -q '^openvpn' /etc/passwd; then adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn fi # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \ --no-create-home --gecos "radius user" \ --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty adduser --quiet radius_user vyattaop adduser --quiet radius_user operator adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \ --no-create-home --gecos "radius privileged user" \ --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty adduser --quiet radius_priv_user vyattacfg adduser --quiet radius_priv_user sudo adduser --quiet radius_priv_user adm adduser --quiet radius_priv_user dip adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users fi # add hostsd group for vyos-hostsd if ! grep -q '^hostsd' /etc/group; then addgroup --quiet --system hostsd fi # add dhcpd user for dhcp-server if ! grep -q '^dhcpd' /etc/passwd; then adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd adduser --quiet dhcpd hostsd fi # ensure hte proxy user has a proper shell chsh -s /bin/sh proxy # vyatta-cfg-vpn migration for init in openswan ipsec setkey; do update-rc.d -f ${init} remove >/dev/null done # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script # this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above if [ ! -x /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ]; then touch /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script chmod 755 /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script cat <>/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script #!/bin/sh # This script is executed at boot time after VyOS configuration is fully applied. # Any modifications required to work around unfixed bugs # or use services not available through the VyOS CLI system can be placed here. EOF fi # remove keys rm -f /etc/ipsec.secrets touch /etc/ipsec.secrets chown root:root /etc/ipsec.secrets chmod 600 /etc/ipsec.secrets rm -f /etc/ipsec.d/private/localhost.localdomainKey.pem rm -f /etc/ipsec.d/certs/localhost.localdomainCert.pem