From 0de11ff4ffa507b3c91eada0307bb45fea28112a Mon Sep 17 00:00:00 2001 From: Alan Somers Date: Tue, 27 Jul 2021 16:08:38 -0600 Subject: [PATCH] sysutils/zrepl: warn of impending SSL certificate expiration Add a periodic script that will warn of impending certifiate expiration. PR: 257464 Approved by: dries (maintainer, ports) Sponsored by: Axcient --- sysutils/zrepl/Makefile | 7 +++-- sysutils/zrepl/files/500.zrepl.in | 41 +++++++++++++++++++++++++++++ sysutils/zrepl/files/pkg-message.in | 10 +++++++ sysutils/zrepl/pkg-plist | 1 + 4 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 sysutils/zrepl/files/500.zrepl.in diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile index ed56db478494..146f21339104 100644 --- a/sysutils/zrepl/Makefile +++ b/sysutils/zrepl/Makefile @@ -1,7 +1,7 @@ PORTNAME= zrepl DISTVERSIONPREFIX= v DISTVERSION= 0.6.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MAINTAINER= driesm@FreeBSD.org @@ -19,7 +19,7 @@ GO_BUILDFLAGS= -ldflags "\ -s -w\ -X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}" -SUB_FILES= pkg-message +SUB_FILES= pkg-message 500.zrepl OPTIONS_DEFINE= EXAMPLES MANPAGES OPTIONS_DEFAULT= MANPAGES @@ -40,6 +40,9 @@ post-install: ${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf ${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf ${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly + ${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \ + ${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks diff --git a/sysutils/zrepl/files/500.zrepl.in b/sysutils/zrepl/files/500.zrepl.in new file mode 100644 index 000000000000..b7f1b3abb4d3 --- /dev/null +++ b/sysutils/zrepl/files/500.zrepl.in @@ -0,0 +1,41 @@ +#!/bin/sh + +# Check zrepl SSL certificates for impending expiration each week +# +# Add the following lines to /etc/periodic.conf: +# +# weekly_zrepl_enable (bool): Set to "NO" by default +# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +# 30 days in seconds +: ${weekly_zrepl_warntime="2592000"} + +rc=0 +case "$weekly_zrepl_enable" in + [Yy][Ee][Ss]) + echo + echo "Check Zrepl certificates for upcoming expiration:" + + for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do + /usr/bin/openssl x509 --in "${cert}" \ + -checkend "${weekly_zrepl_warntime}" + + if [ $? -gt 0 ]; then + echo "${cert} will expire soon" + /usr/bin/openssl x509 --in "${cert}" -noout -enddate + rc=3 + fi + done + ;; + *) rc=0;; +esac + +exit $rc diff --git a/sysutils/zrepl/files/pkg-message.in b/sysutils/zrepl/files/pkg-message.in index f01100004e97..9d0cc7020a45 100644 --- a/sysutils/zrepl/files/pkg-message.in +++ b/sysutils/zrepl/files/pkg-message.in @@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES: For any ZFS snapshot that you want to keep, at least one rule must match. This also applies to snapshots taken by means other than zrepl (e.g. snapshots taken manually or via boot environment tools). + +In order to automatically warn the operator of impending certificate +expiration, add this line to /etc/periodic.conf: + + weekly_zrepl_enable="YES" + +More config details in the zrepl periodic script: + + %%LOCALBASE%%/etc/periodic/weekly/500.zrepl + EOM } ] diff --git a/sysutils/zrepl/pkg-plist b/sysutils/zrepl/pkg-plist index c26b48a40cc9..a11961d1fa43 100644 --- a/sysutils/zrepl/pkg-plist +++ b/sysutils/zrepl/pkg-plist @@ -1,4 +1,5 @@ bin/zrepl +etc/periodic/weekly/500.zrepl @sample %%ETCDIR%%/zrepl.yml.sample %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json