diff options
| -rw-r--r-- | Makefile | 28 | ||||
| -rw-r--r-- | apache24.sh | 25 | ||||
| -rw-r--r-- | chrony.sh | 27 | ||||
| -rw-r--r-- | lfldap-update.sh | 57 | ||||
| -rw-r--r-- | nginx.sh | 26 | ||||
| -rw-r--r-- | pf.sh | 20 | ||||
| -rw-r--r-- | postfix.sh | 26 |
7 files changed, 209 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..7a1f9b0 --- /dev/null +++ b/Makefile @@ -0,0 +1,28 @@ +DESTDIR?= +PREFIX?= /usr/local +BINDIR?= ${PREFIX}/bin +HOOKDIR?= ${PREFIX}/share/lfldap/hooks + +HOOKS= apache24.sh \ + chrony.sh \ + nginx.sh \ + pf.sh \ + postfix.sh + +all: .PHONY + +${DESTDIR}${BINDIR}: + install -d -m 0755 ${DESTDIR}${BINDIR} + +${DESTDIR}${HOOKDIR}: + install -d -m 0755 ${DESTDIR}${HOOKDIR} + +install: install-bin install-hooks .PHONY + +install-bin: ${DESTDIR}${BINDIR} .PHONY + install -C -m 0755 lfldap-update.sh ${DESTDIR}${BINDIR}/lfldap-update + +install-hooks: ${DESTDIR}${HOOKDIR} .PHONY +.for hook in ${HOOKS} + install -C -m 0644 ${hook} ${DESTDIR}${HOOKDIR} +.endfor diff --git a/apache24.sh b/apache24.sh new file mode 100644 index 0000000..5fce133 --- /dev/null +++ b/apache24.sh @@ -0,0 +1,25 @@ +# This source code is released into the public domain. +# +# The Apache allow_internal.conf file is a list of "Require ip <prefix>", +# one per line. + +APACHE_FILE="/usr/local/etc/apache24/allow_internal.conf" +APACHE_TEMP="${APACHE_FILE}.ldaptmp" + +if [ ! -f "$APACHE_FILE" ]; then + exit 0 +fi + +awk <"$NETWORKS_FILE" >"$APACHE_TEMP" '{ print "Require ip " $1 }' + +if cmp -s "$APACHE_TEMP" "$APACHE_FILE"; then + rm "$APACHE_TEMP" + exit 0 +fi + +printf '%s updated:\n\n' "$APACHE_FILE" +diff "$APACHE_FILE" "$APACHE_TEMP" +printf '\n' + +mv "$APACHE_TEMP" "$APACHE_FILE" +/usr/local/sbin/apachectl graceful diff --git a/chrony.sh b/chrony.sh new file mode 100644 index 0000000..b91a5c3 --- /dev/null +++ b/chrony.sh @@ -0,0 +1,27 @@ +# This source code is released into the public domain. +# +# The chrony.allow file is a list of "allow <prefix>", one per line, +# no traiing semicolon. chrony doesn't have a simple way to reload +# its configuration file, so we just restart it. A better way might +# be to use "chronyc allow" to update it on the fly. + +CHRONY_FILE="/usr/local/etc/chrony.allow" +CHRONY_TEMP="${CHRONY_FILE}.ldaptmp" + +if [ ! -f "$CHRONY_FILE" ]; then + exit 0 +fi + +awk <"$NETWORKS_FILE" >"$CHRONY_TEMP" '{ print "allow " $1 }' + +if cmp -s "$CHRONY_TEMP" "$CHRONY_FILE"; then + rm "$CHRONY_TEMP" + exit 0 +fi + +printf '%s updated:\n\n' "$CHRONY_FILE" +diff "$CHRONY_FILE" "$CHRONY_TEMP" +printf '\n' + +mv "$CHRONY_TEMP" "$CHRONY_FILE" +/usr/local/etc/rc.d/chronyd restart diff --git a/lfldap-update.sh b/lfldap-update.sh new file mode 100644 index 0000000..50c067f --- /dev/null +++ b/lfldap-update.sh @@ -0,0 +1,57 @@ +#! /bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + +FILTER="(&(objectClass=lfNetwork))" +DBDIR="/var/db/lfldap" +PREFIX="/usr/local" +HOOKDIR="${PREFIX}/share/lfldap/hooks" +NETWORKS_FILE="${DBDIR}/networks" +NETWORKS_TEMP="${DBDIR}/networks.tmp" + +trap cleanup 0 +cleanup() +{ + rm -f "$NETWORKS_TEMP" +} + +mkdir -p "$DBDIR" +rm -f "$NETWORKS_TEMP" + +if [ ! -f "$NETWORKS_FILE" ]; then + touch "$NETWORKS_FILE" +fi + +ldapsearch \ + -x -s sub \ + "$FILTER" \ + cidrPrefix \ + | awk '/^cidrPrefix: / { print $2 }' >${NETWORKS_TEMP} + +if ! [ -s "$NETWORKS_TEMP" ]; then + printf >&2 '%s: no networks returned; configuration error?\n' "$0" + exit 1 +fi + +if ! cmp -s "$NETWORKS_FILE" "$NETWORKS_TEMP"; then + printf '%s updated:\n\n' "$NETWORKS_FILE" + diff "$NETWORKS_FILE" "$NETWORKS_TEMP" + printf '\n' + + mv "$NETWORKS_TEMP" "$NETWORKS_FILE" +else + rm -f "$NETWORKS_TEMP" +fi + +# Run hooks even if the networks didn't change, since the user might want +# new hooks to run. + +exit=0 + +export NETWORKS_FILE + +for hook in ${HOOKDIR}/*.sh; do + sh $hook || exit=1 +done + +exit $exit diff --git a/nginx.sh b/nginx.sh new file mode 100644 index 0000000..cb080e9 --- /dev/null +++ b/nginx.sh @@ -0,0 +1,26 @@ +# This source code is released into the public domain. +# +# The nginx allow_internal.conf file is a list of "allow <prefix>;", +# one per line, followed by "deny all;". + +NGINX_FILE="/usr/local/etc/nginx/allow_internal.conf" +NGINX_TEMP="${NGINX_FILE}.ldaptmp" + +if [ ! -f "$NGINX_FILE" ]; then + exit 0 +fi + +awk <"$NETWORKS_FILE" >"$NGINX_TEMP" '{ print "allow " $1 ";" }' +printf >>"$NGINX_TEMP" 'deny all;\n' + +if cmp -s "$NGINX_TEMP" "$NGINX_FILE"; then + rm "$NGINX_TEMP" + exit 0 +fi + +printf '%s updated:\n\n' "$NGINX_FILE" +diff "$NGINX_FILE" "$NGINX_TEMP" +printf '\n' + +mv "$NGINX_TEMP" "$NGINX_FILE" +/usr/local/sbin/nginx -s reload @@ -0,0 +1,20 @@ +# This source code is released into the public domain. +# +# The pf file is just a list of prefixes, so there's no formatting to do. + +PF_FILE="/etc/pf.lf-networks" + +if [ ! -f "$PF_FILE" ]; then + exit 0 +fi + +if cmp -s "$NETWORKS_FILE" "$PF_FILE"; then + exit 0 +fi + +printf '%s updated:\n\n' "$PF_FILE" +diff "$PF_FILE" "$NETWORKS_FILE" +printf '\n' + +cp "$NETWORKS_FILE" "$PF_FILE" +/etc/rc.d/pf reload diff --git a/postfix.sh b/postfix.sh new file mode 100644 index 0000000..9e37e33 --- /dev/null +++ b/postfix.sh @@ -0,0 +1,26 @@ +# This source code is released into the public domain. +# +# The Postfix mynetworks.ldap file is a list of "<prefix> OK", one per line. +# Since this is a cidr map, there's no need to run postmap, but we do have +# to reload postfix. + +POSTFIX_FILE="/usr/local/etc/postfix/mynetworks.ldap" +POSTFIX_TEMP="${POSTFIX_FILE}.ldaptmp" + +if [ ! -f "$POSTFIX_FILE" ]; then + exit 0 +fi + +awk <"$NETWORKS_FILE" >"$POSTFIX_TEMP" '{ print $1 " OK" }' + +if cmp -s "$POSTFIX_TEMP" "$POSTFIX_FILE"; then + rm "$POSTFIX_TEMP" + exit 0 +fi + +printf '%s updated:\n\n' "$POSTFIX_FILE" +diff "$POSTFIX_FILE" "$POSTFIX_TEMP" +printf '\n' + +mv "$POSTFIX_TEMP" "$POSTFIX_FILE" +/usr/local/sbin/postfix reload |