summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
blob: a844cba65efa9f8636fc6a0f36b27b5997467228 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/bin/sh -e

# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true

# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
        --gecos "salt minion user" --shell /bin/vbash minion
    adduser --quiet minion frrvty
    adduser --quiet minion sudo
    adduser --quiet minion adm
    adduser --quiet minion dip
    adduser --quiet minion disk
    adduser --quiet minion users
    adduser --quiet minion frr
fi

# OpenVPN should get its own user
if ! grep -q '^openvpn' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi

# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
    grep -qF -- "pam_google_authenticator.so" $file || \
    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done

if ! grep -q '^aaa' /etc/group; then
    addgroup --firstgid 1000 --quiet aaa
fi

# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
        --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
        --shell /sbin/radius_shell radius_user
    adduser --quiet radius_user frrvty
    adduser --quiet radius_user vyattaop
    adduser --quiet radius_user operator
    adduser --quiet radius_user adm
    adduser --quiet radius_user dip
    adduser --quiet radius_user users
    adduser --quiet radius_user aaa
fi

# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
        --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
        --shell /sbin/radius_shell radius_priv_user
    adduser --quiet radius_priv_user frrvty
    adduser --quiet radius_priv_user vyattacfg
    adduser --quiet radius_priv_user sudo
    adduser --quiet radius_priv_user adm
    adduser --quiet radius_priv_user dip
    adduser --quiet radius_priv_user disk
    adduser --quiet radius_priv_user users
    adduser --quiet radius_priv_user frr
    adduser --quiet radius_priv_user aaa
fi

# add hostsd group for vyos-hostsd
if ! grep -q '^hostsd' /etc/group; then
    addgroup --quiet --system hostsd
fi

# add dhcpd user for dhcp-server
if ! grep -q '^dhcpd' /etc/passwd; then
    adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
    adduser --quiet dhcpd hostsd
fi

# ensure hte proxy user has a proper shell
chsh -s /bin/sh proxy

# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
    mkdir -p $(dirname $POSTCONFIG_SCRIPT)
    touch $POSTCONFIG_SCRIPT
    chmod 755 $POSTCONFIG_SCRIPT
    cat <<EOF >>$POSTCONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

EOF
fi

# symlink destination is deleted during ISO assembly - this generates some noise
# when the system boots: systemd-sysv-generator[1881]: stat() failed on
# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
# the file.
if [ -L /etc/init.d/README ]; then
    rm -f /etc/init.d/README
fi

# Remove unwanted daemon files from /etc
# conntackd
# pmacct
# fastnetmon
# ntp
DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
        /etc/default/pmacctd /etc/pmacct
        /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
        /etc/ntp.conf /etc/default/ssh
        /etc/powerdns /etc/default/pdns-recursor
        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
    if [ -e ${tmp} ]; then
        rm -rf ${tmp}
    fi
done

# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog

# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
if test -f /etc/pam.d/frr; then
    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
    fi
fi

# Enable Cloud-init pre-configuration service
systemctl enable vyos-config-cloud-init.service

# Generate API GraphQL schema
/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py