git: 0de11ff4ffa5 - main - sysutils/zrepl: warn of impending SSL certificate expiration
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Jan 2023 20:11:20 UTC
The branch main has been updated by asomers (src committer): URL: https://cgit.FreeBSD.org/ports/commit/?id=0de11ff4ffa507b3c91eada0307bb45fea28112a commit 0de11ff4ffa507b3c91eada0307bb45fea28112a Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2021-07-27 22:08:38 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-01-13 20:10:59 +0000 sysutils/zrepl: warn of impending SSL certificate expiration Add a periodic script that will warn of impending certifiate expiration. PR: 257464 Approved by: dries (maintainer, ports) Sponsored by: Axcient --- sysutils/zrepl/Makefile | 7 +++++-- sysutils/zrepl/files/500.zrepl.in | 41 +++++++++++++++++++++++++++++++++++++ sysutils/zrepl/files/pkg-message.in | 10 +++++++++ sysutils/zrepl/pkg-plist | 1 + 4 files changed, 57 insertions(+), 2 deletions(-) diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile index ed56db478494..146f21339104 100644 --- a/sysutils/zrepl/Makefile +++ b/sysutils/zrepl/Makefile @@ -1,7 +1,7 @@ PORTNAME= zrepl DISTVERSIONPREFIX= v DISTVERSION= 0.6.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MAINTAINER= driesm@FreeBSD.org @@ -19,7 +19,7 @@ GO_BUILDFLAGS= -ldflags "\ -s -w\ -X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}" -SUB_FILES= pkg-message +SUB_FILES= pkg-message 500.zrepl OPTIONS_DEFINE= EXAMPLES MANPAGES OPTIONS_DEFAULT= MANPAGES @@ -40,6 +40,9 @@ post-install: ${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf ${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf ${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly + ${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \ + ${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks diff --git a/sysutils/zrepl/files/500.zrepl.in b/sysutils/zrepl/files/500.zrepl.in new file mode 100644 index 000000000000..b7f1b3abb4d3 --- /dev/null +++ b/sysutils/zrepl/files/500.zrepl.in @@ -0,0 +1,41 @@ +#!/bin/sh + +# Check zrepl SSL certificates for impending expiration each week +# +# Add the following lines to /etc/periodic.conf: +# +# weekly_zrepl_enable (bool): Set to "NO" by default +# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +# 30 days in seconds +: ${weekly_zrepl_warntime="2592000"} + +rc=0 +case "$weekly_zrepl_enable" in + [Yy][Ee][Ss]) + echo + echo "Check Zrepl certificates for upcoming expiration:" + + for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do + /usr/bin/openssl x509 --in "${cert}" \ + -checkend "${weekly_zrepl_warntime}" + + if [ $? -gt 0 ]; then + echo "${cert} will expire soon" + /usr/bin/openssl x509 --in "${cert}" -noout -enddate + rc=3 + fi + done + ;; + *) rc=0;; +esac + +exit $rc diff --git a/sysutils/zrepl/files/pkg-message.in b/sysutils/zrepl/files/pkg-message.in index f01100004e97..9d0cc7020a45 100644 --- a/sysutils/zrepl/files/pkg-message.in +++ b/sysutils/zrepl/files/pkg-message.in @@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES: For any ZFS snapshot that you want to keep, at least one rule must match. This also applies to snapshots taken by means other than zrepl (e.g. snapshots taken manually or via boot environment tools). + +In order to automatically warn the operator of impending certificate +expiration, add this line to /etc/periodic.conf: + + weekly_zrepl_enable="YES" + +More config details in the zrepl periodic script: + + %%LOCALBASE%%/etc/periodic/weekly/500.zrepl + EOM } ] diff --git a/sysutils/zrepl/pkg-plist b/sysutils/zrepl/pkg-plist index c26b48a40cc9..a11961d1fa43 100644 --- a/sysutils/zrepl/pkg-plist +++ b/sysutils/zrepl/pkg-plist @@ -1,4 +1,5 @@ bin/zrepl +etc/periodic/weekly/500.zrepl @sample %%ETCDIR%%/zrepl.yml.sample %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json