git: 0de11ff4ffa5 - main - sysutils/zrepl: warn of impending SSL certificate expiration

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Alan Somers <asomers_at_FreeBSD.org>
Date: Fri, 13 Jan 2023 20:11:20 UTC
The branch main has been updated by asomers (src committer):

URL: https://cgit.FreeBSD.org/ports/commit/?id=0de11ff4ffa507b3c91eada0307bb45fea28112a

commit 0de11ff4ffa507b3c91eada0307bb45fea28112a
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2021-07-27 22:08:38 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-01-13 20:10:59 +0000

    sysutils/zrepl: warn of impending SSL certificate expiration
    
    Add a periodic script that will warn of impending certifiate expiration.
    
    PR:             257464
    Approved by:    dries (maintainer, ports)
    Sponsored by:   Axcient
---
 sysutils/zrepl/Makefile             |  7 +++++--
 sysutils/zrepl/files/500.zrepl.in   | 41 +++++++++++++++++++++++++++++++++++++
 sysutils/zrepl/files/pkg-message.in | 10 +++++++++
 sysutils/zrepl/pkg-plist            |  1 +
 4 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile
index ed56db478494..146f21339104 100644
--- a/sysutils/zrepl/Makefile
+++ b/sysutils/zrepl/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	zrepl
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.6.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 
 MAINTAINER=	driesm@FreeBSD.org
@@ -19,7 +19,7 @@ GO_BUILDFLAGS=	-ldflags "\
 		-s -w\
 		-X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}"
 
-SUB_FILES=	pkg-message
+SUB_FILES=	pkg-message 500.zrepl
 
 OPTIONS_DEFINE=		EXAMPLES MANPAGES
 OPTIONS_DEFAULT=	MANPAGES
@@ -40,6 +40,9 @@ post-install:
 	${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf
 	${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf
 	${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly
+	${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \
+		${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl
 
 post-install-EXAMPLES-on:
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks
diff --git a/sysutils/zrepl/files/500.zrepl.in b/sysutils/zrepl/files/500.zrepl.in
new file mode 100644
index 000000000000..b7f1b3abb4d3
--- /dev/null
+++ b/sysutils/zrepl/files/500.zrepl.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Check zrepl SSL certificates for impending expiration each week
+#
+# Add the following lines to /etc/periodic.conf:
+#
+# weekly_zrepl_enable (bool):	Set to "NO" by default
+# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+# 30 days in seconds
+: ${weekly_zrepl_warntime="2592000"}
+
+rc=0
+case "$weekly_zrepl_enable" in
+    [Yy][Ee][Ss])
+	echo
+	echo "Check Zrepl certificates for upcoming expiration:"
+
+	for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do
+		/usr/bin/openssl x509 --in "${cert}" \
+			-checkend "${weekly_zrepl_warntime}"
+
+		if [ $? -gt 0 ]; then
+			echo "${cert} will expire soon"
+			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
+			rc=3
+		fi
+	done
+	;;
+    *)  rc=0;;
+esac
+
+exit $rc
diff --git a/sysutils/zrepl/files/pkg-message.in b/sysutils/zrepl/files/pkg-message.in
index f01100004e97..9d0cc7020a45 100644
--- a/sysutils/zrepl/files/pkg-message.in
+++ b/sysutils/zrepl/files/pkg-message.in
@@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES:
 For any ZFS snapshot that you want to keep, at least one rule must match.
 This also applies to snapshots taken by means other than zrepl
 (e.g. snapshots taken manually or via boot environment tools).
+
+In order to automatically warn the operator of impending certificate
+expiration, add this line to /etc/periodic.conf:
+
+    weekly_zrepl_enable="YES"
+
+More config details in the zrepl periodic script:
+
+    %%LOCALBASE%%/etc/periodic/weekly/500.zrepl
+
 EOM
 }
 ]
diff --git a/sysutils/zrepl/pkg-plist b/sysutils/zrepl/pkg-plist
index c26b48a40cc9..a11961d1fa43 100644
--- a/sysutils/zrepl/pkg-plist
+++ b/sysutils/zrepl/pkg-plist
@@ -1,4 +1,5 @@
 bin/zrepl
+etc/periodic/weekly/500.zrepl
 @sample %%ETCDIR%%/zrepl.yml.sample
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json