ADVICE: Please before going further you should confirm that your pfSense backup is working properly, in my case I use Services > Auto Config Backup to manage them, I’ve generated one before to continue with this process:
INSTALLATION PROCESS TO pfSense 2.4.x
In this section let’s introduce the most secure way to install a package in pfSense, we should remember that we’re not dealing with a pure FreeBSD, so it’s needed to be careful installing packages from the underlaying OS because we can break our current dependencies, these are the steps I have to follow, this could change depending packages installed in your system.
Installing package dependencies
Please check which is your current FreeBSD version (in my case FreeBSD 11.2-RELEASE-p10 amd64) So let’s use the millenary technique of installing packages manually one by one 😀
# uname -orp FreeBSD 11.2-RELEASE-p10 amd64 # pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/libtasn1-4.13.txz # pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/tpm-emulator-0.7.4_2.txz Fetching tpm-emulator-0.7.4_2.txz: 100% 113 KiB 115.9kB/s 00:01 Installing tpm-emulator-0.7.4_2... ===> Creating groups. Creating group '_tss' with gid '601'. ===> Creating users Creating user '_tss' with uid '601'. Extracting tpm-emulator-0.7.4_2: 100% # pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/trousers-0.3.14_2.txz Fetching trousers-0.3.14_2.txz: 100% 486 KiB 62.2kB/s 00:08 Installing trousers-0.3.14_2... ===> Creating groups. Using existing group '_tss'. ===> Creating users Using existing user '_tss'. Extracting trousers-0.3.14_2: 100% Message from trousers-0.3.14_2: To run tcsd automatically, add the following line to /etc/rc.conf: tcsd_enable="YES" You might want to edit /usr/local/etc/tcsd.conf to reflect your setup. If you want to use tcsd with software TPM emulator, use the following configuration in /etc/rc.conf: tcsd_enable="YES" tcsd_mode="emulator" tpmd_enable="YES" To use TPM, add your_account to '_tss' group like following: # pw groupmod _tss -m your_account # pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/gnutls-3.5.18.txz Fetching gnutls-3.5.18.txz: 100% 2 MiB 2.2MB/s 00:01 Installing gnutls-3.5.18... Extracting gnutls-3.5.18: 100%
Installing taskwarrior package
# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/taskd-1.1.0_5.txz Fetching taskd-1.1.0_5.txz: 100% 360 KiB 184.3kB/s 00:02 Installing taskd-1.1.0_5... ===> Creating groups. Using existing group 'taskd'. ===> Creating users Using existing user 'taskd'. Extracting taskd-1.1.0_5: 100% Message from taskd-1.1.0_5: ======================================================================= taskd requires user directed configuration prior to use. See taskwarrior.org/docs/taskserver/configure.html for configuration information. The generate script has been installed to /usr/local/share/taskd. After completing configuration to start taskd at system startup add taskd_enable="YES" to rc.conf. If you configured taskd with a TASKDDATA other than /var/db/taskd you will also need to set taskd_data in rc.conf to that path. The rc script will start taskd as the unprivileged user taskd, this requires that your TASKDDATA directory and /var/log/taskd.log be owned by taskd:taskd. If you prefer to use another user specify this in rc.conf using taskd_user. To add users see: taskwarrior.org/docs/taskserver/user.html To configure taskwarrior to use your taskd server see: taskwarrior.org/docs/taskserver/taskwarrior.html ======================================================================= # pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/taskwarrior-2.5.1_2.txz Fetching taskwarrior-2.5.1_2.txz: 100% 667 KiB 682.5kB/s 00:01 Installing taskwarrior-2.5.1_2... Extracting taskwarrior-2.5.1_2: 100%
Once we’ve installed the taskd server package, you have to notice that the package name has been changed from earlier versions to taskwarrior. We should follow the same steps described from SETUP TASKD CONFIGURATION section.
INSTALLATION PROCESS TO pfSense 2.3.x
Although I wrote this entry long time ago I hadn’t enough time to put all information together to be a minimum useful entry, these days I was thinking again to use a task manager so I reviewed my notes and I’ve tried to organize a bit the process to share the steps which I follow to install and setup my taskd server.
In a default pfSense installation when you run install taskd command, this error is generated:
# pkg install taskd Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 129 KiB 132.2kB/s 00:01 Processing entries: 100% pfSense repository update completed. 488 packages processed. All repositories are up to date. pkg: No packages available to install matching 'taskd' have been found in the repositories
To fix this problem it’s needed to follow these steps:
# cd /usr/src
# curl https://raw.githubusercontent.com/neklaf/apu1d4/master/freebsd/pfSense-install-FreeBSD-Package.sh > pfSense-install-FreeBSD-Package.sh
# chmod u+x pfSense-install-FreeBSD-Package.sh
# vi /usr/local/etc/pkg/repos/FreeBSD.conf
FreeBSD: { enabled: yes }
The script that were going to use to install this non-standard package was developed by this guy @javcasta.
Please notice that it is highly not recommended by pfSense due to we are updating packages manually so we can generate dependency problems between packages, so please execute on your own risk:
# /usr/src/pfSense-install-FreeBSD-Package.sh taskd pkg already bootstrapped at /usr/local/sbin/pkg Updating FreeBSD repository catalogue... pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 6 MiB 3.1MB/s 00:02 Processing entries: 100% FreeBSD repository update completed. 28778 packages processed. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. pkg-1.10.1_1: lock this package? [y/N]: Locking pkg-1.10.1_1 Install package taskd Updating FreeBSD repository catalogue... FreeBSD repository is up to date. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. pkg-1.10.1_1 is locked and may not be modified The following 16 package(s) will be affected (of 0 checked): New packages to be INSTALLED: taskd: 1.1.0_5 [FreeBSD] xproto: 7.0.31 [FreeBSD] jpeg-turbo: 1.5.3 [FreeBSD] jbigkit: 2.1_1 [FreeBSD] png: 1.6.34 [FreeBSD] mpfr: 3.1.6 [FreeBSD] libfontenc: 1.1.3_1 [FreeBSD] freetype2: 2.8_1 [FreeBSD] fontconfig: 2.12.1,1 [FreeBSD] pixman: 0.34.0 [FreeBSD] cyrus-sasl: 2.1.26_12 [FreeBSD] gnutls: 3.5.16 [FreeBSD] trousers: 0.3.14_2 [FreeBSD] tpm-emulator: 0.7.4_2 [FreeBSD] p11-kit: 0.23.9 [FreeBSD] libtasn1: 4.12 [FreeBSD] Number of packages to be installed: 16 ... ===> Creating groups. Creating group '_tss' with gid '601'. ===> Creating users Creating user '_tss' with uid '601'. ... ===> Creating groups. Using existing group '_tss'. ... ===> Creating groups. Creating group 'taskd' with gid '616'. ===> Creating users Creating user 'taskd' with uid '616'. ... /usr/local/share/fonts: skipping, no such directory /usr/local/lib/X11/fonts: skipping, no such directory /var/db/fontconfig: cleaning cache directory fc-cache: succeeded ... *** Added group `cyrus' (id 60) *** Added user `cyrus' (id 60) Extracting cyrus-sasl-2.1.26_12: 100% Message from trousers-0.3.14_2: To run tcsd automatically, add the following line to /etc/rc.conf: tcsd_enable="YES"
You might want to edit /usr/local/etc/tcsd.conf to reflect your setup. If you want to use tcsd with software TPM emulator, use the following configuration in /etc/rc.conf:
tcsd_enable="YES" tcsd_mode="emulator" tpmd_enable="YES"
To use TPM, add your_account to ‘_tss’ group like following:
# pw groupmod _tss -m your_account Message from freetype2-2.8_1: The 2.7.x series now uses the new subpixel hinting mode (V40 port's option) as the default, emulating a modern version of ClearType. This change inevitably leads to different rendering results, and you might change port's options to adapt it to your taste (or use the new "FREETYPE_PROPERTIES" environment variable).
The environment variable FREETYPE_PROPERTIES can be used to control the
driver properties. Example:
FREETYPE_PROPERTIES=truetype:interpreter-version=35 \ cff:no-stem-darkening=1 \ autofitter:warping=1
This allows to select, say, the subpixel hinting mode at runtime for a given
application.
The controllable properties are listed in the section Controlling FreeType
Modules in the reference’s table of contents (/usr/local/share/doc/freetype2/reference/ft2-toc.html, if documentation was installed).
SETUP TASKD CONFIGURATION
# pkg install bash # chpass -s /usr/local/bin/bash root chpass: user information updated # exec /usr/local/bin/bash # export TASKDDATA=/var/taskd # mkdir -p $TASKDDATA # chown -R taskd:taskd /var/taskd /usr/local/share/task* # su taskd taskd$ taskd init You must specify the 'server' variable before attempting a server start, for example: taskd config server localhost:53589 Created /var/taskd/config
CERTIFICATES, KEYS & SETTINGS
Let’s create them:
taskd$ vi /usr/local/share/taskd/vars BITS=4096 EXPIRATION_DAYS=365 ORGANIZATION="Acme" CN=pf.acme.local COUNTRY=ES STATE="Zaragoza" LOCALITY="Zaragoza" taskd$ cd /usr/local/share/taskd/ taskd$ ./generate ** Note: You may use '--sec-param High' instead of '--bits 4096' Generating a 4096 bit RSA private key... Generating a self signed certificate... ... Signing certificate...
Setup certificates in task server configuration:
[taskd@/var/taskd]# cd /usr/local/share/taskd/ [taskd@.../taskd/]# cp client.* $TASKDDATA [taskd@.../taskd/]# cp server.* $TASKDDATA [taskd@.../taskd/]# cp ca.cert.pem $TASKDDATA [taskd@.../taskd/]# taskd config --force client.cert $TASKDDATA/client.cert.pem [taskd@.../taskd/]# taskd config --force client.key $TASKDDATA/client.key.pem [taskd@.../taskd/]# taskd config --force server.cert $TASKDDATA/server.cert.pem [taskd@.../taskd/]# taskd config --force server.key $TASKDDATA/server.key.pem [taskd@.../taskd/]# taskd config --force server.crl $TASKDDATA/server.crl.pem [taskd@.../taskd/]# taskd config --force ca.cert $TASKDDATA/ca.cert.pem
Include additional configuration:
[taskd@/var/taskd]# cd $TASKDDATA/.. [taskd@/var]# taskd config --data /var/taskd --force log /usr/local/share/taskd/logs/taskd.log [taskd@/var]# taskd config --data /var/taskd --force pid.file /usr/local/share/taskd/taskd.pid [taskd@/var]# taskd config --force server localhost:55556 [taskd@/var]# taskd config family IPv4
Check our settings
[taskd@/var]# taskd config Configuration read from /var/taskd/config ...
Starting our server
[taskd@/var]# taskdctl start /usr/local/bin/taskdctl start: daemon started [taskd@/var]# taskdctl status /usr/local/bin/taskdctl status: daemon is running
User settings
[taskd@/var]# taskd add --data /var/taskd org Public Created organization 'Public' [taskd@/var]# taskd add --data /var/taskd user 'Public' '<YOUR_USER>' New user key: XXX Created user '<YOUR_USER>' for organization 'Public'
Create user certificate
On our taskd server host create a certificate for a client user:
[taskd@/var]# cd /usr/local/share/taskd/ && ./generate.client <YOUR_USER> ** Note: You may use '--sec-param High' instead of '--bits 4096' Generating a 4096 bit RSA private key... Generating a signed certificate... ... [taskd@...taskd]# tar cvjf taskd_client_conf.tar.bz2 <YOUR_USER>.* ca.cert.pem # chpass -s /usr/sbin/nologin taskd chpass: user information updated # grep taskd /etc/passwd taskd:*:616:616:taskd user:/nonexistent:/usr/sbin/nologin
CLIENT SIDE
In the client machine:
$ scp -P <CUSTOM_SSH_PORT> USER@TASKD_SERVER:$TASKDDATA/taskd_client_conf.tar.bz2 ~/.task $ tar xjf ~/.task/taskd_client_conf.tar.bz2 $ task config taskd.certificate -- ~/.task/<YOUR_USER>.cert.pem $ task config taskd.key -- ~/.task/<YOUR_USER>.key.pem $ task config taskd.key -- ~/.task/USER.key.pem Are you sure you want to add 'taskd.key' with a value of '<YOUR_HOME>.task/USER.key.pem'? (yes/no) yes Config file /home/aitor/.taskrc modified. $ task config taskd.ca -- ~/.task/ca.cert.pem Are you sure you want to add 'taskd.ca' with a value of '<YOUR_HOME>.task/ca.cert.pem'? (yes/no) yes Config file /home/aitor/.taskrc modified. $ task config taskd.server -- <TASKD_SERVER>:53589 Are you sure you want to add 'taskd.server' with a value of '<TASKD_SERVER>:53589'? (yes/no) yes Config file /home/aitor/.taskrc modified. $ task config taskd.trust 'strict' Are you sure you want to add 'taskd.trust' with a value of 'strict'? (yes/no) yes Config file /home/aitor/.taskrc modified.
In my case I have to make a SSH tunnel due to my settings:
$ ssh -p xxx -l dude -L yyy:127.0.0.1:yyy TASKD_SERVER_HOST ... This login only supports SSH tunneling. $ task config taskd.server -- localhost:yyy Are you sure you want to change the value of 'taskd.server' from 'neklaf.ddns.net:55556' to 'localhost:53589'? (yes/no) yes Config file /home/aitor/.taskrc modified.
To know what user ID is used in this settings is needed go to the server and execute this:
# ls $TASKDDATA/orgs/Public/users <USER-UUID-XXX>
This value is for my user but it will be different in other installations.
$ task config taskd.credentials Public/<YOUR_USER>/<USER-UUID-XXX> Are you sure you want to add 'taskd.credentials' with a value of 'Public/<YOUR_USER>/<USER-UUID-XXX>'? (yes/no) yes Config file /home/aitor/.taskrc modified. $ task sync initialize
So now you could enjoy your taskwarrior server!
Reference links:
- https://taskwarrior.org/docs/taskserver/configure.html
- https://www.vultr.com/docs/install-taskserver-taskd-on-freebsd-11
- https://blog.polettix.it/setup-a-taskwarrior-server/
- https://chariotsolutions.com/blog/post/getting-things-done-with-task-warrior/
- https://taskwarrior.wordpress.com/2013/11/11/a-personal-task-server/ (Building by code)
- https://taskwarrior.org/docs/best-practices.html
- https://taskwarrior.org/docs/taskserver/user.html
- https://taskwarrior.org/docs/taskserver/taskwarrior.html
- http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/
- https://freecinc.com/ (If you want this server as a service)
—
“Do it or shut up”
— James Randi
