Changes changes
This commit is contained in:
parent
9fdc9082f4
commit
6cb0afdb9f
14 changed files with 96 additions and 127 deletions
cdist/conf/type
__letsencrypt_acmetiny
__letsencrypt_acmetiny_base
__openldap_server
__pf_apply_anchor
__pf_rdr
__pf_ruleset
__postfix
|
@ -11,7 +11,8 @@ if [ -f "${__object}/parameter/extra-domain" ]; then
|
|||
fi
|
||||
|
||||
#TODO: support linux too
|
||||
REALM_DIR="/usr/local/etc/pki/realms/${REALM}"
|
||||
REALMS_DIR="/usr/local/etc/pki/realms"
|
||||
REALM_DIR="${REALMS_DIR}/${REALM}"
|
||||
REALM_CERT="${REALM_DIR}/default.crt"
|
||||
REALM_KEY="${REALM_DIR}/default.key"
|
||||
REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
|
||||
|
@ -101,6 +102,8 @@ if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
|
||||
|
||||
if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
|
||||
# CSR and cert generation succeded with a new config, put new config in-place.
|
||||
# This is the last thing we do, so we try again next time if sth fails.
|
||||
|
|
|
@ -200,3 +200,28 @@ require="__package/doas" __file "${DOAS_CONF}" --mode 0640
|
|||
require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
|
||||
--regex 'root as acme-tiny' \
|
||||
--line 'permit nopass root as acme-tiny'
|
||||
|
||||
# Setup CA
|
||||
REALMS_DIR="/usr/local/etc/pki/realms"
|
||||
__directory "${REALMS_DIR}" \
|
||||
--parents \
|
||||
--state present \
|
||||
--mode 0755
|
||||
|
||||
require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
|
||||
--mode 0644 \
|
||||
--source - << EOF
|
||||
$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
|
||||
EOF
|
||||
require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
|
||||
--mode 0644 \
|
||||
--source - << EOF
|
||||
$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
|
||||
EOF
|
||||
require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
|
||||
--mode 0644 \
|
||||
--source - << EOF
|
||||
$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
|
||||
$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
|
||||
EOF
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
|
|||
schemas=$(cat "${__object}/parameter/schema")
|
||||
slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
|
||||
tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
|
||||
extra_config=$(cat "${__object}/parameter/extra-config" || true)
|
||||
|
||||
|
||||
os="$(cat "${__global}/explorer/os")"
|
||||
|
@ -230,6 +231,8 @@ index uid,memberUid eq,pres,sub
|
|||
index nisMapName,nisMapEntry eq,pres,sub
|
||||
index entryCSN,entryUUID eq
|
||||
|
||||
${extra_config}
|
||||
|
||||
serverid ${serverid}
|
||||
EOF
|
||||
|
||||
|
|
|
@ -5,4 +5,5 @@ admin-email
|
|||
tls-cipher-suite
|
||||
tls-cert
|
||||
tls-privkey
|
||||
tls-ca
|
||||
tls-ca
|
||||
extra-config
|
||||
|
|
|
@ -18,24 +18,23 @@
|
|||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
#
|
||||
# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
|
||||
# Apply pf(4) ruleset on *BSD
|
||||
#
|
||||
|
||||
# Debug
|
||||
#exec >&2
|
||||
# exec >&2
|
||||
#set -x
|
||||
|
||||
# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
|
||||
# See if file exists and if so, get checksum
|
||||
ANCHORS_DIR="/etc/pf.d"
|
||||
|
||||
RC="/etc/rc.conf"
|
||||
TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
|
||||
PFCONF="${TMP:-"/etc/pf.conf"}"
|
||||
|
||||
if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
|
||||
cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
|
||||
if [ -f "${__object}/parameter/anchor_name" ]; then
|
||||
anchor_name="$(cat "${__object}/parameter/anchor_name")"
|
||||
else
|
||||
anchor_name="${__object_id}"
|
||||
fi
|
||||
anchor_file="${ANCHORS_DIR}/${anchor_name}"
|
||||
|
||||
echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""
|
||||
|
||||
# Debug
|
||||
#set +x
|
||||
|
1
cdist/conf/type/__pf_apply_anchor/parameter/optional
Normal file
1
cdist/conf/type/__pf_apply_anchor/parameter/optional
Normal file
|
@ -0,0 +1 @@
|
|||
anchor_name
|
20
cdist/conf/type/__pf_rdr/manifest
Normal file
20
cdist/conf/type/__pf_rdr/manifest
Normal file
|
@ -0,0 +1,20 @@
|
|||
# TODO header :D
|
||||
# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
|
||||
|
||||
DESTDIR=/etc/pf.d
|
||||
|
||||
proto="$(cat "$__object/parameter/proto")"
|
||||
from="$(cat "$__object/parameter/from")"
|
||||
to="$(cat "$__object/parameter/to")"
|
||||
state="$(cat "$__object/parameter/state")"
|
||||
|
||||
from="$(echo $from | sed 's/:/ port /')"
|
||||
to="$(echo $to | sed 's/:/ port /')"
|
||||
|
||||
anchorname="$(echo $__object_id | cut -d/ -f1)"
|
||||
rule="rdr pass log proto $proto from any to $from -> $to"
|
||||
|
||||
__directory "$DESTDIR" --parents
|
||||
|
||||
require="__directory/$DESTDIR" \
|
||||
__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname
|
1
cdist/conf/type/__pf_rdr/parameter/default/proto
Normal file
1
cdist/conf/type/__pf_rdr/parameter/default/proto
Normal file
|
@ -0,0 +1 @@
|
|||
tcp
|
1
cdist/conf/type/__pf_rdr/parameter/default/state
Normal file
1
cdist/conf/type/__pf_rdr/parameter/default/state
Normal file
|
@ -0,0 +1 @@
|
|||
present
|
2
cdist/conf/type/__pf_rdr/parameter/optional
Normal file
2
cdist/conf/type/__pf_rdr/parameter/optional
Normal file
|
@ -0,0 +1,2 @@
|
|||
proto
|
||||
state
|
2
cdist/conf/type/__pf_rdr/parameter/required
Normal file
2
cdist/conf/type/__pf_rdr/parameter/required
Normal file
|
@ -0,0 +1,2 @@
|
|||
from
|
||||
to
|
|
@ -1,81 +0,0 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2012 Jake Guffey (jake.guffey at eprotex.com)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
#
|
||||
# Manage pf(4) on *BSD
|
||||
#
|
||||
|
||||
# Debug
|
||||
#exec >&2
|
||||
#set -x
|
||||
|
||||
# Send files to $__target_host via $__remote_copy
|
||||
|
||||
uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
|
||||
state=$(cat "$__object/parameter/state")
|
||||
|
||||
if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -f "$__object/parameter/source" ]; then
|
||||
source=$(cat "$__object/parameter/source")
|
||||
fi
|
||||
|
||||
rcvar=$(cat "$__object/explorer/rcvar")
|
||||
cksum=$(cat "$__object/explorer/cksum")
|
||||
|
||||
|
||||
cat <<EOF
|
||||
case $uname in
|
||||
Darwin)
|
||||
currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
|
||||
;;
|
||||
Linux)
|
||||
currentSum=\$(cksum ${source} | cut '-d ' -f1)
|
||||
;;
|
||||
FreeBSD)
|
||||
currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
|
||||
;;
|
||||
*)
|
||||
echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# IPv6 fix
|
||||
if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
|
||||
then
|
||||
my_target_host="[${__target_host}]"
|
||||
else
|
||||
my_target_host="${__target_host}"
|
||||
fi
|
||||
|
||||
if [ -n "${cksum}" ]; then
|
||||
if [ ! "\${currentSum}" = "${cksum}" ]; then
|
||||
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
|
||||
fi
|
||||
else # File just doesn't exist yet
|
||||
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
|
||||
fi
|
||||
EOF
|
||||
|
||||
# Debug
|
||||
#exec +x
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# 2012 Jake Guffey (jake.guffey at eprotex.com)
|
||||
# 2016 Kamila Součková (kamila at ksp.sk)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
|
@ -25,25 +25,29 @@
|
|||
#exec >&2
|
||||
#set -x
|
||||
|
||||
# Remove ${rcvar} in the case of --state absent
|
||||
|
||||
state=$(cat "$__object/parameter/state")
|
||||
rcvar=$(cat "$__object/explorer/rcvar")
|
||||
|
||||
if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do
|
||||
exit 0
|
||||
elif [ "$state" = "absent" ]; then
|
||||
# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
|
||||
cat <<EOF
|
||||
if [ -f "${rcvar}.new" ]; then
|
||||
rm "${rcvar}.new"
|
||||
fi
|
||||
if [ -f "${rcvar}" ]; then
|
||||
mv "${rcvar}" "${rcvar}.old"
|
||||
fi
|
||||
EOF
|
||||
else
|
||||
echo "Unknown state ${state}!" >&2
|
||||
exit 1
|
||||
state=$(cat "$__object/parameter/state")
|
||||
if [ -f "$__object/parameter/source" ]; then
|
||||
source=$(cat "$__object/parameter/source")
|
||||
fi
|
||||
|
||||
if [ "$state" = "absent" ]; then
|
||||
action="/etc/rc.d/pf stop"
|
||||
else
|
||||
action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
|
||||
fi
|
||||
|
||||
__key_value __pf_ruleset/rcvar \
|
||||
--state "$state" \
|
||||
--file /etc/rc.conf \
|
||||
--delimiter "=" \
|
||||
--key "pf_enable" \
|
||||
--value "YES"
|
||||
|
||||
require="${require} __key_value/__pf_ruleset/rcvar" __config_file $rcvar \
|
||||
--source "$source" \
|
||||
--state "$state" \
|
||||
--onchange "$action"
|
||||
|
||||
# Debug
|
||||
#exec +x
|
|
@ -19,16 +19,4 @@
|
|||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
|
||||
os=$(cat "$__global/explorer/os")
|
||||
|
||||
case "$os" in
|
||||
alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
|
||||
__package postfix --state present
|
||||
;;
|
||||
*)
|
||||
echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
|
||||
echo "Please contribute an implementation for it if you can." >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
__package postfix --state present
|
||||
|
|
Loading…
Reference in a new issue