summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
blob: ddc189508efed92f55fdb6353aee513b6266de6e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/sh -e

# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true

# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
        --gecos "salt minion user" --shell /bin/vbash minion
    adduser --quiet minion frrvty
    adduser --quiet minion sudo
    adduser --quiet minion adm
    adduser --quiet minion dip
    adduser --quiet minion disk
    adduser --quiet minion users
    adduser --quiet minion frr
fi

# OpenVPN should get its own user
if ! grep -q '^openvpn' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi

# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
    grep -qF -- "pam_google_authenticator.so" $file || \
    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done

# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
        --no-create-home --gecos "radius user" \
        --shell /sbin/radius_shell radius_user
    adduser --quiet radius_user frrvty
    adduser --quiet radius_user vyattaop
    adduser --quiet radius_user operator
    adduser --quiet radius_user adm
    adduser --quiet radius_user dip
    adduser --quiet radius_user users
fi

# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
        --no-create-home --gecos "radius privileged user" \
        --shell /sbin/radius_shell radius_priv_user
    adduser --quiet radius_priv_user frrvty
    adduser --quiet radius_priv_user vyattacfg
    adduser --quiet radius_priv_user sudo
    adduser --quiet radius_priv_user adm
    adduser --quiet radius_priv_user dip
    adduser --quiet radius_priv_user disk
    adduser --quiet radius_priv_user users
    adduser --quiet radius_priv_user frr
fi

# add hostsd group for vyos-hostsd
if ! grep -q '^hostsd' /etc/group; then
    addgroup --quiet --system hostsd
fi

# add dhcpd user for dhcp-server
if ! grep -q '^dhcpd' /etc/passwd; then
    adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
    adduser --quiet dhcpd hostsd
fi

# ensure hte proxy user has a proper shell
chsh -s /bin/sh proxy

# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
    mkdir -p $(dirname $POSTCONFIG_SCRIPT)
    touch $POSTCONFIG_SCRIPT
    chmod 755 $POSTCONFIG_SCRIPT
    cat <<EOF >>$POSTCONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

EOF
fi

# symlink destination is deleted during ISO assembly - this generates some noise
# when the system boots: systemd-sysv-generator[1881]: stat() failed on
# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
# the file.
if [ -L /etc/init.d/README ]; then
    rm -f /etc/init.d/README
fi

# Remove unwanted daemon files from /etc
# conntackd
# pmacct
# fastnetmon
# ntp
DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
        /etc/default/pmacctd /etc/pmacct
        /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
        /etc/ntp.conf /etc/default/ssh
        /etc/powerdns /etc/default/pdns-recursor
        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
    if [ -e ${tmp} ]; then
        rm -rf ${tmp}
    fi
done

# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog

# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
if test -f /etc/pam.d/frr; then
    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
    fi
fi

# Generate API GraphQL schema
/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py