Installing taskd server on pfSense (FreeBSD 11)

ADVICE: Please before going further you should confirm that your pfSense backup is working properly, in my case I use Services > Auto Config Backup to manage them, I’ve generated one before to continue with this process:

INSTALLATION PROCESS TO pfSense 2.4.x

In this section let’s introduce the most secure way to install a package in pfSense, we should remember that we’re not dealing with a pure FreeBSD, so it’s needed to be careful installing packages from the underlaying OS because we can break our current dependencies, these are the steps I have to follow, this could change depending packages installed in your system.

Installing package dependencies

Please check which is your current FreeBSD version (in my case FreeBSD 11.2-RELEASE-p10 amd64) So let’s use the millenary technique of installing packages manually one by one 😀

# uname -orp
FreeBSD 11.2-RELEASE-p10 amd64

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/libtasn1-4.13.txz

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/tpm-emulator-0.7.4_2.txz
Fetching tpm-emulator-0.7.4_2.txz: 100%  113 KiB 115.9kB/s    00:01    
Installing tpm-emulator-0.7.4_2...
===> Creating groups.
Creating group '_tss' with gid '601'.
===> Creating users
Creating user '_tss' with uid '601'.
Extracting tpm-emulator-0.7.4_2: 100%

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/trousers-0.3.14_2.txz
Fetching trousers-0.3.14_2.txz: 100%  486 KiB  62.2kB/s    00:08    
Installing trousers-0.3.14_2...
===> Creating groups.
Using existing group '_tss'.
===> Creating users
Using existing user '_tss'.
Extracting trousers-0.3.14_2: 100%
Message from trousers-0.3.14_2:

To run tcsd automatically, add the following line to /etc/rc.conf:

tcsd_enable="YES"

You might want to edit /usr/local/etc/tcsd.conf to reflect your setup.

If you want to use tcsd with software TPM emulator, use the following
configuration in /etc/rc.conf:

tcsd_enable="YES"
tcsd_mode="emulator"
tpmd_enable="YES"

To use TPM, add your_account to '_tss' group like following:

# pw groupmod _tss -m your_account

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/gnutls-3.5.18.txz
Fetching gnutls-3.5.18.txz: 100%    2 MiB   2.2MB/s    00:01
Installing gnutls-3.5.18...
Extracting gnutls-3.5.18: 100%

Installing taskwarrior package

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/taskd-1.1.0_5.txz
Fetching taskd-1.1.0_5.txz: 100%  360 KiB 184.3kB/s    00:02
Installing taskd-1.1.0_5...
===> Creating groups.
Using existing group 'taskd'.
===> Creating users
Using existing user 'taskd'.
Extracting taskd-1.1.0_5: 100%
Message from taskd-1.1.0_5:

=======================================================================
taskd requires user directed configuration prior to use.

See taskwarrior.org/docs/taskserver/configure.html for configuration
information. The generate script has been installed to
/usr/local/share/taskd.

After completing configuration to start taskd at system startup add
taskd_enable="YES" to rc.conf. If you configured taskd with a TASKDDATA
other than /var/db/taskd you will also need to set taskd_data in rc.conf
to that path.

The rc script will start taskd as the unprivileged user taskd, this
requires that your TASKDDATA directory and /var/log/taskd.log be owned
by taskd:taskd. If you prefer to use another user specify this in
rc.conf using taskd_user.

To add users see: taskwarrior.org/docs/taskserver/user.html

To configure taskwarrior to use your taskd server see:
taskwarrior.org/docs/taskserver/taskwarrior.html
=======================================================================

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/release_2/All/taskwarrior-2.5.1_2.txz
Fetching taskwarrior-2.5.1_2.txz: 100%  667 KiB 682.5kB/s    00:01
Installing taskwarrior-2.5.1_2...
Extracting taskwarrior-2.5.1_2: 100%

Once we’ve installed the taskd server package, you have to notice that the package name has been changed from earlier versions to taskwarrior. We should follow the same steps described from SETUP TASKD CONFIGURATION section.

INSTALLATION PROCESS TO pfSense 2.3.x

Although I wrote this entry long time ago I hadn’t enough time to put all information together to be a minimum useful entry, these days I was thinking again to use a task manager so I reviewed my notes and I’ve tried to organize a bit the process to share the steps which I follow to install and setup my taskd server.

In a default pfSense installation when you run install taskd command, this error is generated:

# pkg install taskd
 Updating pfSense-core repository catalogue...
 pfSense-core repository is up to date.
 Updating pfSense repository catalogue...
 Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
 Fetching packagesite.txz: 100%  129 KiB 132.2kB/s    00:01
 Processing entries: 100%
 pfSense repository update completed. 488 packages processed.
 All repositories are up to date.
 pkg: No packages available to install matching 'taskd' have been found in the repositories

To fix this problem it’s needed to follow these steps:

# cd /usr/src
# curl https://raw.githubusercontent.com/neklaf/apu1d4/master/freebsd/pfSense-install-FreeBSD-Package.sh > pfSense-install-FreeBSD-Package.sh
# chmod u+x pfSense-install-FreeBSD-Package.sh
# vi /usr/local/etc/pkg/repos/FreeBSD.conf
 FreeBSD: { enabled: yes }

The script that were going to use to install this non-standard package was developed by this guy @javcasta.

Please notice that it is highly not recommended by pfSense due to we are updating packages manually so we can generate dependency problems between packages, so please execute on your own risk:

# /usr/src/pfSense-install-FreeBSD-Package.sh taskd
pkg already bootstrapped at /usr/local/sbin/pkg
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB   3.1MB/s    00:02
Processing entries: 100%
FreeBSD repository update completed. 28778 packages processed.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg-1.10.1_1: lock this package? [y/N]: Locking pkg-1.10.1_1
Install package taskd
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg-1.10.1_1 is locked and may not be modified
The following 16 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
taskd: 1.1.0_5 [FreeBSD]
xproto: 7.0.31 [FreeBSD]
jpeg-turbo: 1.5.3 [FreeBSD]
jbigkit: 2.1_1 [FreeBSD]
png: 1.6.34 [FreeBSD]
mpfr: 3.1.6 [FreeBSD]
libfontenc: 1.1.3_1 [FreeBSD]
freetype2: 2.8_1 [FreeBSD]
fontconfig: 2.12.1,1 [FreeBSD]
pixman: 0.34.0 [FreeBSD]
cyrus-sasl: 2.1.26_12 [FreeBSD]
gnutls: 3.5.16 [FreeBSD]
trousers: 0.3.14_2 [FreeBSD]
tpm-emulator: 0.7.4_2 [FreeBSD]
p11-kit: 0.23.9 [FreeBSD]
libtasn1: 4.12 [FreeBSD]
Number of packages to be installed: 16
...
===> Creating groups.
Creating group '_tss' with gid '601'.
===> Creating users
Creating user '_tss' with uid '601'.
...
===> Creating groups.
Using existing group '_tss'.
...
===> Creating groups.
Creating group 'taskd' with gid '616'.
===> Creating users
Creating user 'taskd' with uid '616'.
...
/usr/local/share/fonts: skipping, no such directory
/usr/local/lib/X11/fonts: skipping, no such directory
/var/db/fontconfig: cleaning cache directory
fc-cache: succeeded
...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
Extracting cyrus-sasl-2.1.26_12: 100%
Message from trousers-0.3.14_2:
To run tcsd automatically, add the following line to /etc/rc.conf:
tcsd_enable="YES"

You might want to edit /usr/local/etc/tcsd.conf to reflect your setup. If you want to use tcsd with software TPM emulator, use the following configuration in /etc/rc.conf:

tcsd_enable="YES"
tcsd_mode="emulator"
tpmd_enable="YES"

To use TPM, add your_account to ‘_tss’ group like following:

# pw groupmod _tss -m your_account
 Message from freetype2-2.8_1:
 The 2.7.x series now uses the new subpixel hinting mode (V40 port's option) as
 the default, emulating a modern version of ClearType. This change inevitably
 leads to different rendering results, and you might change port's options to
 adapt it to your taste (or use the new "FREETYPE_PROPERTIES" environment
 variable).

The environment variable FREETYPE_PROPERTIES can be used to control the
driver properties. Example:

FREETYPE_PROPERTIES=truetype:interpreter-version=35 \
 cff:no-stem-darkening=1 \
 autofitter:warping=1

This allows to select, say, the subpixel hinting mode at runtime for a given
application.

The controllable properties are listed in the section Controlling FreeType
Modules
in the reference’s table of contents (/usr/local/share/doc/freetype2/reference/ft2-toc.html, if documentation was installed).

SETUP TASKD CONFIGURATION

# pkg install bash
# chpass -s /usr/local/bin/bash root
chpass: user information updated
# exec /usr/local/bin/bash
# export TASKDDATA=/var/taskd
# mkdir -p $TASKDDATA
# chown -R taskd:taskd /var/taskd /usr/local/share/task*
# su taskd
taskd$ taskd init
 You must specify the 'server' variable before attempting a server start, for example:
   taskd config server localhost:53589
Created /var/taskd/config

CERTIFICATES, KEYS & SETTINGS

Let’s create them:

taskd$ vi /usr/local/share/taskd/vars
BITS=4096
 EXPIRATION_DAYS=365
 ORGANIZATION="Acme"
 CN=pf.acme.local
 COUNTRY=ES
 STATE="Zaragoza"
 LOCALITY="Zaragoza"

taskd$ cd /usr/local/share/taskd/
taskd$ ./generate
 ** Note: You may use '--sec-param High' instead of '--bits 4096'
 Generating a 4096 bit RSA private key...
 Generating a self signed certificate...
 ...
 Signing certificate...

Setup certificates in task server configuration:

[taskd@/var/taskd]# cd /usr/local/share/taskd/
[taskd@.../taskd/]# cp client.* $TASKDDATA
[taskd@.../taskd/]# cp server.* $TASKDDATA
[taskd@.../taskd/]# cp ca.cert.pem $TASKDDATA
[taskd@.../taskd/]# taskd config --force client.cert $TASKDDATA/client.cert.pem
[taskd@.../taskd/]# taskd config --force client.key $TASKDDATA/client.key.pem
[taskd@.../taskd/]# taskd config --force server.cert $TASKDDATA/server.cert.pem
[taskd@.../taskd/]# taskd config --force server.key $TASKDDATA/server.key.pem
[taskd@.../taskd/]# taskd config --force server.crl $TASKDDATA/server.crl.pem
[taskd@.../taskd/]# taskd config --force ca.cert $TASKDDATA/ca.cert.pem

Include additional configuration:

[taskd@/var/taskd]# cd $TASKDDATA/..
[taskd@/var]# taskd config --data /var/taskd --force log /usr/local/share/taskd/logs/taskd.log
[taskd@/var]# taskd config --data /var/taskd --force pid.file /usr/local/share/taskd/taskd.pid
[taskd@/var]# taskd config --force server localhost:55556
[taskd@/var]# taskd config family IPv4

Check our settings

[taskd@/var]# taskd config
Configuration read from /var/taskd/config
...

Starting our server

[taskd@/var]# taskdctl start
 /usr/local/bin/taskdctl start: daemon started
[taskd@/var]# taskdctl status
 /usr/local/bin/taskdctl status: daemon is running

User settings

[taskd@/var]# taskd add --data /var/taskd org Public
 Created organization 'Public'

[taskd@/var]# taskd add --data /var/taskd user 'Public' '<YOUR_USER>'
 New user key: XXX
 Created user '<YOUR_USER>' for organization 'Public'

Create user certificate

On our taskd server host create a certificate for a client user:

 [taskd@/var]# cd /usr/local/share/taskd/ && ./generate.client <YOUR_USER>
 ** Note: You may use '--sec-param High' instead of '--bits 4096'
 Generating a 4096 bit RSA private key...
 Generating a signed certificate...
 ...

[taskd@...taskd]# tar cvjf taskd_client_conf.tar.bz2 <YOUR_USER>.* ca.cert.pem
# chpass -s /usr/sbin/nologin taskd
chpass: user information updated
# grep taskd /etc/passwd
taskd:*:616:616:taskd user:/nonexistent:/usr/sbin/nologin

CLIENT SIDE

In the client machine:

$ scp -P <CUSTOM_SSH_PORT> USER@TASKD_SERVER:$TASKDDATA/taskd_client_conf.tar.bz2 ~/.task
$ tar xjf ~/.task/taskd_client_conf.tar.bz2
$ task config taskd.certificate -- ~/.task/<YOUR_USER>.cert.pem
$ task config taskd.key -- ~/.task/<YOUR_USER>.key.pem
$ task config taskd.key -- ~/.task/USER.key.pem
 Are you sure you want to add 'taskd.key' with a value of '<YOUR_HOME>.task/USER.key.pem'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

$ task config taskd.ca -- ~/.task/ca.cert.pem
 Are you sure you want to add 'taskd.ca' with a value of '<YOUR_HOME>.task/ca.cert.pem'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

$ task config taskd.server -- <TASKD_SERVER>:53589
 Are you sure you want to add 'taskd.server' with a value of '<TASKD_SERVER>:53589'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

$ task config taskd.trust 'strict'
 Are you sure you want to add 'taskd.trust' with a value of 'strict'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

In my case I have to make a SSH tunnel due to my settings:

 $ ssh -p xxx -l dude -L yyy:127.0.0.1:yyy TASKD_SERVER_HOST
 ...
 This login only supports SSH tunneling.
$ task config taskd.server -- localhost:yyy
 Are you sure you want to change the value of 'taskd.server' from 'neklaf.ddns.net:55556' to 'localhost:53589'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

To know what user ID is used in this settings is needed go to the server and execute this:

 # ls $TASKDDATA/orgs/Public/users
 <USER-UUID-XXX>

This value is for my user but it will be different in other installations.

$ task config taskd.credentials Public/<YOUR_USER>/<USER-UUID-XXX>
 Are you sure you want to add 'taskd.credentials' with a value of 'Public/<YOUR_USER>/<USER-UUID-XXX>'? (yes/no) yes
 Config file /home/aitor/.taskrc modified.

$ task sync initialize

So now you could enjoy your taskwarrior server!

Reference links:


“Do it or shut up”
— James Randi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s