Changes changes

2020-04-24 13:29:43 +02:00 · 2020-04-24 13:29:43 +02:00 · 6cb0afdb9f
parent 9fdc9082f4
commit 6cb0afdb9f
14 changed files with 96 additions and 127 deletions
--- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
+++ b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
@ -11,7 +11,8 @@ if [ -f "${__object}/parameter/extra-domain" ]; then
 fi

 #TODO: support linux too
-REALM_DIR="/usr/local/etc/pki/realms/${REALM}"
+REALMS_DIR="/usr/local/etc/pki/realms"
+REALM_DIR="${REALMS_DIR}/${REALM}"
 REALM_CERT="${REALM_DIR}/default.crt"
 REALM_KEY="${REALM_DIR}/default.key"
 REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
@ -101,6 +102,8 @@ if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
  fi
 fi

+cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
+
 if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
  # CSR and cert generation succeded with a new config, put new config in-place.
  # This is the last thing we do, so we try again next time if sth fails.
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
+++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
@ -200,3 +200,28 @@ require="__package/doas" __file "${DOAS_CONF}" --mode 0640
 require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
  --regex 'root as acme-tiny' \
  --line 'permit nopass root as acme-tiny'
+
+# Setup CA 
+REALMS_DIR="/usr/local/etc/pki/realms"
+__directory "${REALMS_DIR}" \
+  --parents \
+  --state present \
+  --mode 0755
+
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+
--- a/cdist/conf/type/__openldap_server/manifest
+++ b/cdist/conf/type/__openldap_server/manifest
@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
 schemas=$(cat "${__object}/parameter/schema")
 slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
 tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
+extra_config=$(cat "${__object}/parameter/extra-config" || true)


 os="$(cat "${__global}/explorer/os")"
@ -230,6 +231,8 @@ index uid,memberUid eq,pres,sub
 index nisMapName,nisMapEntry eq,pres,sub
 index entryCSN,entryUUID eq

+${extra_config}
+
 serverid ${serverid}
 EOF

--- a/cdist/conf/type/__openldap_server/parameter/optional
+++ b/cdist/conf/type/__openldap_server/parameter/optional
@ -5,4 +5,5 @@ admin-email
 tls-cipher-suite
 tls-cert
 tls-privkey
-tls-ca
+tls-ca
+extra-config
--- a/cdist/conf/type/__pf_apply_anchor/gencode-remote
+++ b/cdist/conf/type/__pf_apply_anchor/gencode-remote
@ -18,24 +18,23 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+# Apply pf(4) ruleset on *BSD
 #

 # Debug
-#exec >&2
+# exec >&2
 #set -x

-# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
-# See if file exists and if so, get checksum
+ANCHORS_DIR="/etc/pf.d"

-RC="/etc/rc.conf"
-TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
-PFCONF="${TMP:-"/etc/pf.conf"}"
-
-if [ -f "${PFCONF}" ]; then	# The pf config file exists, find its cksum.
-	cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
+if [ -f "${__object}/parameter/anchor_name" ]; then
+    anchor_name="$(cat "${__object}/parameter/anchor_name")"
+else
+    anchor_name="${__object_id}"
 fi
+anchor_file="${ANCHORS_DIR}/${anchor_name}"
+
+echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""

 # Debug
 #set +x
-
--- a/cdist/conf/type/__pf_apply_anchor/parameter/optional
+++ b/cdist/conf/type/__pf_apply_anchor/parameter/optional
@ -0,0 +1 @@
+anchor_name
--- a/cdist/conf/type/__pf_rdr/manifest
+++ b/cdist/conf/type/__pf_rdr/manifest
@ -0,0 +1,20 @@
+# TODO header :D
+# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
+
+DESTDIR=/etc/pf.d
+
+proto="$(cat "$__object/parameter/proto")"
+from="$(cat "$__object/parameter/from")"
+to="$(cat "$__object/parameter/to")"
+state="$(cat "$__object/parameter/state")"
+
+from="$(echo $from | sed 's/:/ port /')"
+to="$(echo $to | sed 's/:/ port /')"
+
+anchorname="$(echo $__object_id | cut -d/ -f1)"
+rule="rdr pass log proto $proto from any to $from -> $to"
+
+__directory "$DESTDIR" --parents
+
+require="__directory/$DESTDIR" \
+__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname
--- a/cdist/conf/type/__pf_rdr/parameter/default/proto
+++ b/cdist/conf/type/__pf_rdr/parameter/default/proto
@ -0,0 +1 @@
+tcp
--- a/cdist/conf/type/__pf_rdr/parameter/default/state
+++ b/cdist/conf/type/__pf_rdr/parameter/default/state
@ -0,0 +1 @@
+present
--- a/cdist/conf/type/__pf_rdr/parameter/optional
+++ b/cdist/conf/type/__pf_rdr/parameter/optional
@ -0,0 +1,2 @@
+proto
+state
--- a/cdist/conf/type/__pf_rdr/parameter/required
+++ b/cdist/conf/type/__pf_rdr/parameter/required
@ -0,0 +1,2 @@
+from
+to
--- a/cdist/conf/type/__pf_ruleset/gencode-local
+++ b/cdist/conf/type/__pf_ruleset/gencode-local
@ -1,81 +0,0 @@
-#!/bin/sh -e
-#
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Manage pf(4) on *BSD
-#
-
-# Debug
-#exec >&2
-#set -x
-
-# Send files to $__target_host via $__remote_copy
-
-uname=$(uname)   # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
-state=$(cat "$__object/parameter/state")
-
-if [ "$state" = "absent" ]; then   # There is nothing more for a *local* script to do
-   exit 0
-fi
-
-if [ -f "$__object/parameter/source" ]; then
-   source=$(cat "$__object/parameter/source")
-fi
-
-rcvar=$(cat "$__object/explorer/rcvar")
-cksum=$(cat "$__object/explorer/cksum")
-
-
-cat <<EOF
-case $uname in
-   Darwin)
-      currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
-      ;;
-   Linux)
-      currentSum=\$(cksum ${source} | cut '-d ' -f1)
-      ;;
-   FreeBSD)
-      currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
-      ;;
-   *)
-      echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
-      exit 1
-      ;;
-esac
-
-# IPv6 fix
-if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
-then
-    my_target_host="[${__target_host}]"
-else
-    my_target_host="${__target_host}"
-fi
-
-if [ -n "${cksum}" ]; then
-   if [ ! "\${currentSum}" = "${cksum}" ]; then
-      $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-   fi
-else # File just doesn't exist yet
-   $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-fi
-EOF
-
-# Debug
-#exec +x
-
--- a/cdist/conf/type/__pf_ruleset/gencode-remote
+++ b/cdist/conf/type/__pf_ruleset/gencode-remote
@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
+# 2016 Kamila Součková (kamila at ksp.sk)
 #
 # This file is part of cdist.
 #
@ -25,25 +25,29 @@
 #exec >&2
 #set -x

-# Remove ${rcvar} in the case of --state absent
-
-state=$(cat "$__object/parameter/state")
 rcvar=$(cat "$__object/explorer/rcvar")
-
-if [ "$state" = "present" ]; then   # There is nothing more for a *remote* script to do
-   exit 0
-elif [ "$state" = "absent" ]; then
-   # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
-   cat <<EOF
-   if [ -f "${rcvar}.new" ]; then
-      rm "${rcvar}.new"
-   fi
-   if [ -f "${rcvar}" ]; then
-      mv "${rcvar}" "${rcvar}.old"
-   fi
-EOF
-else
-   echo "Unknown state ${state}!" >&2
-   exit 1
+state=$(cat "$__object/parameter/state")
+if [ -f "$__object/parameter/source" ]; then
+    source=$(cat "$__object/parameter/source")
 fi

+if [ "$state" = "absent" ]; then
+    action="/etc/rc.d/pf stop"
+else
+    action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
+fi
+
+__key_value __pf_ruleset/rcvar \
+    --state "$state" \
+    --file /etc/rc.conf \
+    --delimiter "=" \
+    --key "pf_enable" \
+    --value "YES"
+
+require="${require} __key_value/__pf_ruleset/rcvar" __config_file $rcvar \
+    --source "$source" \
+    --state "$state" \
+    --onchange "$action"
+
+# Debug
+#exec +x
--- a/cdist/conf/type/__postfix/manifest
+++ b/cdist/conf/type/__postfix/manifest
@ -19,16 +19,4 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #

-
-os=$(cat "$__global/explorer/os")
-
-case "$os" in
-   alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
-      __package postfix --state present
-   ;;
-   *)
-      echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
-      echo "Please contribute an implementation for it if you can." >&2
-      exit 1
-   ;;
-esac
+__package postfix --state present