summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/vyos-1x.postinst')
-rw-r--r--debian/vyos-1x.postinst264
1 files changed, 264 insertions, 0 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
new file mode 100644
index 0000000..dc8ada2
--- /dev/null
+++ b/debian/vyos-1x.postinst
@@ -0,0 +1,264 @@
+#!/bin/bash
+
+# Turn off Debian default for %sudo
+sed -i -e '/^%sudo/d' /etc/sudoers || true
+
+# Add minion user for salt-minion
+if ! grep -q '^minion' /etc/passwd; then
+ adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
+ --gecos "salt minion user" --shell /bin/vbash minion
+ adduser --quiet minion frrvty
+ adduser --quiet minion sudo
+ adduser --quiet minion adm
+ adduser --quiet minion dip
+ adduser --quiet minion disk
+ adduser --quiet minion users
+ adduser --quiet minion frr
+fi
+
+# OpenVPN should get its own user
+if ! grep -q '^openvpn' /etc/passwd; then
+ adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
+fi
+
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+ addgroup --firstgid 1000 --quiet radius
+fi
+
+# Remove TACACS user added by base package - we use our own UID range and group
+# assignments - see below
+if grep -q '^tacacs' /etc/passwd; then
+ if [ $(id -u tacacs0) -ge 1000 ]; then
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ userdel tacacs${level} || true
+ rm -rf /home/tacacs${level} || true
+ level=$(( level+1 ))
+ done 2>&1
+ fi
+fi
+
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+ rm /usr/share/pam-configs/tacplus
+fi
+
+# Add TACACS system users required for TACACS based system authentication
+if ! grep -q '^tacacs' /etc/passwd; then
+ # Add the tacacs group and all 16 possible tacacs privilege-level users to
+ # the password file, home directories, etc. The accounts are not enabled
+ # for local login, since they are only used to provide uid/gid/homedir for
+ # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
+ # is also added to the sudo group, and vyattacfg group rather than vyattaop
+ # (used for tacacs0-14).
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
+ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
+ --shell /bin/vbash tacacs${level}
+ adduser --quiet tacacs${level} frrvty
+ adduser --quiet tacacs${level} adm
+ adduser --quiet tacacs${level} dip
+ adduser --quiet tacacs${level} users
+ if [ $level -lt 15 ]; then
+ adduser --quiet tacacs${level} vyattaop
+ adduser --quiet tacacs${level} operator
+ else
+ adduser --quiet tacacs${level} vyattacfg
+ adduser --quiet tacacs${level} sudo
+ adduser --quiet tacacs${level} disk
+ adduser --quiet tacacs${level} frr
+ adduser --quiet tacacs${level} _kea
+ fi
+ level=$(( level+1 ))
+ done 2>&1 | grep -v "User tacacs${level} already exists"
+fi
+
+# Add RADIUS operator user for RADIUS authenticated users to map to
+if ! grep -q '^radius_user' /etc/passwd; then
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
+ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
+ --shell /sbin/radius_shell radius_user
+ adduser --quiet radius_user frrvty
+ adduser --quiet radius_user vyattaop
+ adduser --quiet radius_user operator
+ adduser --quiet radius_user adm
+ adduser --quiet radius_user dip
+ adduser --quiet radius_user users
+fi
+
+# Add RADIUS admin user for RADIUS authenticated users to map to
+if ! grep -q '^radius_priv_user' /etc/passwd; then
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
+ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
+ --shell /sbin/radius_shell radius_priv_user
+ adduser --quiet radius_priv_user frrvty
+ adduser --quiet radius_priv_user vyattacfg
+ adduser --quiet radius_priv_user sudo
+ adduser --quiet radius_priv_user adm
+ adduser --quiet radius_priv_user dip
+ adduser --quiet radius_priv_user disk
+ adduser --quiet radius_priv_user users
+ adduser --quiet radius_priv_user frr
+ adduser --quiet radius_priv_user _kea
+fi
+
+# add hostsd group for vyos-hostsd
+if ! grep -q '^hostsd' /etc/group; then
+ addgroup --quiet --system hostsd
+fi
+
+# Add _kea user for kea-dhcp{4,6}-server to vyattacfg
+# The user should exist via kea-common installed as transitive dependency
+if grep -q '^_kea' /etc/passwd; then
+ adduser --quiet _kea vyattacfg
+fi
+
+# ensure the proxy user has a proper shell
+chsh -s /bin/sh proxy
+
+# Set file capabilities
+setcap cap_net_admin=pe /sbin/ethtool
+setcap cap_net_admin=pe /sbin/tc
+setcap cap_net_admin=pe /bin/ip
+setcap cap_net_admin=pe /sbin/xtables-legacy-multi
+setcap cap_net_admin=pe /sbin/xtables-nft-multi
+setcap cap_net_admin=pe /usr/sbin/conntrack
+setcap cap_net_admin=pe /usr/sbin/arp
+setcap cap_net_raw=pe /usr/bin/tcpdump
+setcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl
+setcap cap_sys_module=pe /bin/kmod
+setcap cap_sys_time=pe /bin/date
+
+# create needed directories
+mkdir -p /var/log/user
+mkdir -p /var/core
+mkdir -p /opt/vyatta/etc/config/auth
+mkdir -p /opt/vyatta/etc/config/scripts
+mkdir -p /opt/vyatta/etc/config/user-data
+mkdir -p /opt/vyatta/etc/config/support
+chown -R root:vyattacfg /opt/vyatta/etc/config
+chmod -R 775 /opt/vyatta/etc/config
+mkdir -p /opt/vyatta/etc/logrotate
+mkdir -p /opt/vyatta/etc/netdevice.d
+
+touch /etc/environment
+
+if [ ! -f /etc/bash_completion ]; then
+ echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
+ echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
+fi
+
+sed -i 's/^set /builtin set /' /etc/bash_completion
+
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
+
+# Do not allow users to change full name field (controlled by vyos-1x)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+ sed -i -e '/^@include/i \
+password requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
+# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
+# this logs unnecessary messages trying to start ddclient
+rm -f /etc/ppp/ip-up.d/ddclient
+
+# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+if [ ! -x $PRECONFIG_SCRIPT ]; then
+ mkdir -p $(dirname $PRECONFIG_SCRIPT)
+ touch $PRECONFIG_SCRIPT
+ chmod 755 $PRECONFIG_SCRIPT
+ cat <<EOF >>$PRECONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time before VyOS configuration is applied.
+# Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
+# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+if [ ! -x $POSTCONFIG_SCRIPT ]; then
+ mkdir -p $(dirname $POSTCONFIG_SCRIPT)
+ touch $POSTCONFIG_SCRIPT
+ chmod 755 $POSTCONFIG_SCRIPT
+ cat <<EOF >>$POSTCONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time after VyOS configuration is fully applied.
+# Any modifications required to work around unfixed bugs
+# or use services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
+# symlink destination is deleted during ISO assembly - this generates some noise
+# when the system boots: systemd-sysv-generator[1881]: stat() failed on
+# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
+# the file.
+if [ -L /etc/init.d/README ]; then
+ rm -f /etc/init.d/README
+fi
+
+# Remove unwanted daemon files from /etc
+# conntackd
+# pmacct
+# fastnetmon
+# ntp
+DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
+ /etc/default/pmacctd /etc/pmacct
+ /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
+ /etc/ntp.conf /etc/default/ssh /etc/avahi/avahi-daemon.conf /etc/avahi/hosts
+ /etc/powerdns /etc/default/pdns-recursor
+ /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
+for tmp in $DELETE; do
+ if [ -e ${tmp} ]; then
+ rm -rf ${tmp}
+ fi
+done
+
+# Remove logrotate items controlled via CLI and VyOS defaults
+sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
+sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog
+
+# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
+if test -f /etc/pam.d/frr; then
+ if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
+ sed -i -re 's/rootok/permit/' /etc/pam.d/frr
+ fi
+fi
+
+# Enable Cloud-init pre-configuration service
+systemctl enable vyos-config-cloud-init.service
+
+# Enable Podman API
+systemctl enable podman.service
+
+# Generate API GraphQL schema
+/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py
+
+# Update XML cache
+python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py
+
+# Generate hardlinks for systemd units for multi VRF support
+# as softlinks will fail in systemd:
+# symlink target name type "ssh.service" does not match source, rejecting.
+if [ ! -f /lib/systemd/system/ssh@.service ]; then
+ ln /lib/systemd/system/ssh.service /lib/systemd/system/ssh@.service
+fi
+
+# T4287 - as we have a non-signed kernel use the upstream wireless reulatory database
+update-alternatives --set regulatory.db /lib/firmware/regulatory.db-upstream
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-15 00:33:26 +0000