From 6cb0afdb9fb6c0edae0e39f4479facbb24b2c289 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Fri, 24 Apr 2020 13:29:43 +0200
Subject: [PATCH] Changes changes

---
 .../__letsencrypt_acmetiny/gencode-remote     |  5 +-
 .../type/__letsencrypt_acmetiny_base/manifest | 25 ++++++
 cdist/conf/type/__openldap_server/manifest    |  3 +
 .../type/__openldap_server/parameter/optional |  3 +-
 .../gencode-remote}                           | 21 +++--
 .../type/__pf_apply_anchor/parameter/optional |  1 +
 cdist/conf/type/__pf_rdr/manifest             | 20 +++++
 .../type/__pf_rdr/parameter/default/proto     |  1 +
 .../type/__pf_rdr/parameter/default/state     |  1 +
 cdist/conf/type/__pf_rdr/parameter/optional   |  2 +
 cdist/conf/type/__pf_rdr/parameter/required   |  2 +
 cdist/conf/type/__pf_ruleset/gencode-local    | 81 -------------------
 .../__pf_ruleset/{gencode-remote => manifest} | 44 +++++-----
 cdist/conf/type/__postfix/manifest            | 14 +---
 14 files changed, 96 insertions(+), 127 deletions(-)
 rename cdist/conf/type/{__pf_ruleset/explorer/cksum => __pf_apply_anchor/gencode-remote} (62%)
 create mode 100644 cdist/conf/type/__pf_apply_anchor/parameter/optional
 create mode 100644 cdist/conf/type/__pf_rdr/manifest
 create mode 100644 cdist/conf/type/__pf_rdr/parameter/default/proto
 create mode 100644 cdist/conf/type/__pf_rdr/parameter/default/state
 create mode 100644 cdist/conf/type/__pf_rdr/parameter/optional
 create mode 100644 cdist/conf/type/__pf_rdr/parameter/required
 delete mode 100755 cdist/conf/type/__pf_ruleset/gencode-local
 rename cdist/conf/type/__pf_ruleset/{gencode-remote => manifest} (58%)

diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
index 466b889d..9243acc9 100644
--- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
+++ b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
@@ -11,7 +11,8 @@ if [ -f "${__object}/parameter/extra-domain" ]; then
 fi
 
 #TODO: support linux too
-REALM_DIR="/usr/local/etc/pki/realms/${REALM}"
+REALMS_DIR="/usr/local/etc/pki/realms"
+REALM_DIR="${REALMS_DIR}/${REALM}"
 REALM_CERT="${REALM_DIR}/default.crt"
 REALM_KEY="${REALM_DIR}/default.key"
 REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
@@ -101,6 +102,8 @@ if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
   fi
 fi
 
+cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
+
 if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
   # CSR and cert generation succeded with a new config, put new config in-place.
   # This is the last thing we do, so we try again next time if sth fails.
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
index 7bce9a63..cbedcdff 100644
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
+++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
@@ -200,3 +200,28 @@ require="__package/doas" __file "${DOAS_CONF}" --mode 0640
 require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
   --regex 'root as acme-tiny' \
   --line 'permit nopass root as acme-tiny'
+
+# Setup CA 
+REALMS_DIR="/usr/local/etc/pki/realms"
+__directory "${REALMS_DIR}" \
+  --parents \
+  --state present \
+  --mode 0755
+
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
+  --mode 0644 \
+  --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+
diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest
index dadc9f20..88fdbafa 100644
--- a/cdist/conf/type/__openldap_server/manifest
+++ b/cdist/conf/type/__openldap_server/manifest
@@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
 schemas=$(cat "${__object}/parameter/schema")
 slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
 tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
+extra_config=$(cat "${__object}/parameter/extra-config" || true)
 
 
 os="$(cat "${__global}/explorer/os")"
@@ -230,6 +231,8 @@ index uid,memberUid eq,pres,sub
 index nisMapName,nisMapEntry eq,pres,sub
 index entryCSN,entryUUID eq
 
+${extra_config}
+
 serverid ${serverid}
 EOF
 
diff --git a/cdist/conf/type/__openldap_server/parameter/optional b/cdist/conf/type/__openldap_server/parameter/optional
index a92b9c6e..71c64659 100644
--- a/cdist/conf/type/__openldap_server/parameter/optional
+++ b/cdist/conf/type/__openldap_server/parameter/optional
@@ -5,4 +5,5 @@ admin-email
 tls-cipher-suite
 tls-cert
 tls-privkey
-tls-ca
\ No newline at end of file
+tls-ca
+extra-config
diff --git a/cdist/conf/type/__pf_ruleset/explorer/cksum b/cdist/conf/type/__pf_apply_anchor/gencode-remote
similarity index 62%
rename from cdist/conf/type/__pf_ruleset/explorer/cksum
rename to cdist/conf/type/__pf_apply_anchor/gencode-remote
index 9be6c901..3d259aca 100755
--- a/cdist/conf/type/__pf_ruleset/explorer/cksum
+++ b/cdist/conf/type/__pf_apply_anchor/gencode-remote
@@ -18,24 +18,23 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+# Apply pf(4) ruleset on *BSD
 #
 
 # Debug
-#exec >&2
+# exec >&2
 #set -x
 
-# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
-# See if file exists and if so, get checksum
+ANCHORS_DIR="/etc/pf.d"
 
-RC="/etc/rc.conf"
-TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
-PFCONF="${TMP:-"/etc/pf.conf"}"
-
-if [ -f "${PFCONF}" ]; then	# The pf config file exists, find its cksum.
-	cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
+if [ -f "${__object}/parameter/anchor_name" ]; then
+    anchor_name="$(cat "${__object}/parameter/anchor_name")"
+else
+    anchor_name="${__object_id}"
 fi
+anchor_file="${ANCHORS_DIR}/${anchor_name}"
+
+echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""
 
 # Debug
 #set +x
-
diff --git a/cdist/conf/type/__pf_apply_anchor/parameter/optional b/cdist/conf/type/__pf_apply_anchor/parameter/optional
new file mode 100644
index 00000000..b9f61e28
--- /dev/null
+++ b/cdist/conf/type/__pf_apply_anchor/parameter/optional
@@ -0,0 +1 @@
+anchor_name
diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest
new file mode 100644
index 00000000..83bf2ed8
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/manifest
@@ -0,0 +1,20 @@
+# TODO header :D
+# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
+
+DESTDIR=/etc/pf.d
+
+proto="$(cat "$__object/parameter/proto")"
+from="$(cat "$__object/parameter/from")"
+to="$(cat "$__object/parameter/to")"
+state="$(cat "$__object/parameter/state")"
+
+from="$(echo $from | sed 's/:/ port /')"
+to="$(echo $to | sed 's/:/ port /')"
+
+anchorname="$(echo $__object_id | cut -d/ -f1)"
+rule="rdr pass log proto $proto from any to $from -> $to"
+
+__directory "$DESTDIR" --parents
+
+require="__directory/$DESTDIR" \
+__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/proto b/cdist/conf/type/__pf_rdr/parameter/default/proto
new file mode 100644
index 00000000..28a29e6f
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/default/proto
@@ -0,0 +1 @@
+tcp
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/state b/cdist/conf/type/__pf_rdr/parameter/default/state
new file mode 100644
index 00000000..e7f6134f
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/cdist/conf/type/__pf_rdr/parameter/optional b/cdist/conf/type/__pf_rdr/parameter/optional
new file mode 100644
index 00000000..09ec92ca
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/optional
@@ -0,0 +1,2 @@
+proto
+state
diff --git a/cdist/conf/type/__pf_rdr/parameter/required b/cdist/conf/type/__pf_rdr/parameter/required
new file mode 100644
index 00000000..4a568482
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/required
@@ -0,0 +1,2 @@
+from
+to
diff --git a/cdist/conf/type/__pf_ruleset/gencode-local b/cdist/conf/type/__pf_ruleset/gencode-local
deleted file mode 100755
index 11bfb0b1..00000000
--- a/cdist/conf/type/__pf_ruleset/gencode-local
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/sh -e
-#
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Manage pf(4) on *BSD
-#
-
-# Debug
-#exec >&2
-#set -x
-
-# Send files to $__target_host via $__remote_copy
-
-uname=$(uname)   # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
-state=$(cat "$__object/parameter/state")
-
-if [ "$state" = "absent" ]; then   # There is nothing more for a *local* script to do
-   exit 0
-fi
-
-if [ -f "$__object/parameter/source" ]; then
-   source=$(cat "$__object/parameter/source")
-fi
-
-rcvar=$(cat "$__object/explorer/rcvar")
-cksum=$(cat "$__object/explorer/cksum")
-
-
-cat <<EOF
-case $uname in
-   Darwin)
-      currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
-      ;;
-   Linux)
-      currentSum=\$(cksum ${source} | cut '-d ' -f1)
-      ;;
-   FreeBSD)
-      currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
-      ;;
-   *)
-      echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
-      exit 1
-      ;;
-esac
-
-# IPv6 fix
-if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
-then
-    my_target_host="[${__target_host}]"
-else
-    my_target_host="${__target_host}"
-fi
-
-if [ -n "${cksum}" ]; then
-   if [ ! "\${currentSum}" = "${cksum}" ]; then
-      $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-   fi
-else # File just doesn't exist yet
-   $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-fi
-EOF
-
-# Debug
-#exec +x
-
diff --git a/cdist/conf/type/__pf_ruleset/gencode-remote b/cdist/conf/type/__pf_ruleset/manifest
similarity index 58%
rename from cdist/conf/type/__pf_ruleset/gencode-remote
rename to cdist/conf/type/__pf_ruleset/manifest
index 12760fdf..25206add 100755
--- a/cdist/conf/type/__pf_ruleset/gencode-remote
+++ b/cdist/conf/type/__pf_ruleset/manifest
@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
+# 2016 Kamila Součková (kamila at ksp.sk)
 #
 # This file is part of cdist.
 #
@@ -25,25 +25,29 @@
 #exec >&2
 #set -x
 
-# Remove ${rcvar} in the case of --state absent
-
-state=$(cat "$__object/parameter/state")
 rcvar=$(cat "$__object/explorer/rcvar")
-
-if [ "$state" = "present" ]; then   # There is nothing more for a *remote* script to do
-   exit 0
-elif [ "$state" = "absent" ]; then
-   # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
-   cat <<EOF
-   if [ -f "${rcvar}.new" ]; then
-      rm "${rcvar}.new"
-   fi
-   if [ -f "${rcvar}" ]; then
-      mv "${rcvar}" "${rcvar}.old"
-   fi
-EOF
-else
-   echo "Unknown state ${state}!" >&2
-   exit 1
+state=$(cat "$__object/parameter/state")
+if [ -f "$__object/parameter/source" ]; then
+    source=$(cat "$__object/parameter/source")
 fi
 
+if [ "$state" = "absent" ]; then
+    action="/etc/rc.d/pf stop"
+else
+    action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
+fi
+
+__key_value __pf_ruleset/rcvar \
+    --state "$state" \
+    --file /etc/rc.conf \
+    --delimiter "=" \
+    --key "pf_enable" \
+    --value "YES"
+
+require="${require} __key_value/__pf_ruleset/rcvar" __config_file $rcvar \
+    --source "$source" \
+    --state "$state" \
+    --onchange "$action"
+
+# Debug
+#exec +x
diff --git a/cdist/conf/type/__postfix/manifest b/cdist/conf/type/__postfix/manifest
index f3616979..121bba96 100755
--- a/cdist/conf/type/__postfix/manifest
+++ b/cdist/conf/type/__postfix/manifest
@@ -19,16 +19,4 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
-os=$(cat "$__global/explorer/os")
-
-case "$os" in
-   alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
-      __package postfix --state present
-   ;;
-   *)
-      echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
-      echo "Please contribute an implementation for it if you can." >&2
-      exit 1
-   ;;
-esac
+__package postfix --state present