sysutils/zrepl: warn of impending SSL certificate expiration

Add a periodic script that will warn of impending certifiate expiration.

PR:		257464
Approved by:	dries (maintainer, ports)
Sponsored by:	Axcient

sysutils/zrepl/Makefile

@@ -1,7 +1,7 @@
 PORTNAME=	zrepl
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.6.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 
 MAINTAINER=	driesm@FreeBSD.org
@@ -19,7 +19,7 @@ GO_BUILDFLAGS=	-ldflags "\
 		-s -w\
 		-X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}"
 
-SUB_FILES=	pkg-message
+SUB_FILES=	pkg-message 500.zrepl
 
 OPTIONS_DEFINE=		EXAMPLES MANPAGES
 OPTIONS_DEFAULT=	MANPAGES
@@ -40,6 +40,9 @@ post-install:
 	${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf
 	${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf
 	${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly
+	${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \
+		${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl
 
 post-install-EXAMPLES-on:
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks

sysutils/zrepl/files/500.zrepl.in

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Check zrepl SSL certificates for impending expiration each week
+#
+# Add the following lines to /etc/periodic.conf:
+#
+# weekly_zrepl_enable (bool):	Set to "NO" by default
+# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+# 30 days in seconds
+: ${weekly_zrepl_warntime="2592000"}
+
+rc=0
+case "$weekly_zrepl_enable" in
+    [Yy][Ee][Ss])
+	echo
+	echo "Check Zrepl certificates for upcoming expiration:"
+
+	for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do
+		/usr/bin/openssl x509 --in "${cert}" \
+			-checkend "${weekly_zrepl_warntime}"
+
+		if [ $? -gt 0 ]; then
+			echo "${cert} will expire soon"
+			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
+			rc=3
+		fi
+	done
+	;;
+    *)  rc=0;;
+esac
+
+exit $rc

sysutils/zrepl/files/pkg-message.in

@@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES:
 For any ZFS snapshot that you want to keep, at least one rule must match.
 This also applies to snapshots taken by means other than zrepl
 (e.g. snapshots taken manually or via boot environment tools).
+
+In order to automatically warn the operator of impending certificate
+expiration, add this line to /etc/periodic.conf:
+
+    weekly_zrepl_enable="YES"
+
+More config details in the zrepl periodic script:
+
+    %%LOCALBASE%%/etc/periodic/weekly/500.zrepl
+
 EOM
 }
 ]

sysutils/zrepl/pkg-plist

@@ -1,4 +1,5 @@
 bin/zrepl
+etc/periodic/weekly/500.zrepl
 @sample %%ETCDIR%%/zrepl.yml.sample
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json