Add rc.conf / pf configuration

2023-03-14 18:24:33 -03:00 · 2023-03-14 18:24:33 -03:00 · f5fa8d91fd
commit f5fa8d91fd
parent faa5f25a81
7 changed files with 112 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,5 @@ node_modules/
 *.log
 .env
 .idea
+*.conf
+*.yml
--- a/config/remote.yml.sample
+++ b/config/remote.yml.sample
@ -0,0 +1,14 @@
+rc:
+  hostname: <hostname>
+pf:
+  iface: <interface>
+  pass:
+    in:
+      - from: any
+        to: <rc.hostname>
+        proto: tcp
+        port: 80
+    out:
+      - to: <trusted_host>
+        proto: <protocol>
+        port: <port>
--- a/config/remote/etc/pf.conf.erb
+++ b/config/remote/etc/pf.conf.erb
@ -0,0 +1,8 @@
+set skip on lo0
+block all
+<% pf.pass.in.each do |rule| -%>
+pass in on <%= pf.iface %> <%= pf_in(rule) %>
+<% end -%>
+<% pf.pass.out.each do |rule| -%>
+pass out on <%= pf.iface %> <%= pf_out(rule) %>
+<% end -%>
--- a/config/remote/etc/rc.conf.erb
+++ b/config/remote/etc/rc.conf.erb
@ -0,0 +1,21 @@
+##
+# Hostname
+hostname="<%= rc.hostname %>"
+
+##
+# Firewall
+pf_enable="YES"
+pf_rules="/etc/pf.conf"
+pflog_enable="YES"
+pflog_file="/var/log/pflog"
+
+##
+# Enabled services
+sshd_enable="YES"
+ntpd_enable="YES"
+nginx_enable="YES"
+
+##
+# Disabled services
+sendmail_enable="NONE"
+hostid_enable="NO"
--- a/tasks.lib/erb_context.rb
+++ b/tasks.lib/erb_context.rb
@ -0,0 +1,22 @@
+##
+# frozen_string_literals: true
+
+require_relative "pf"
+
+class ERBContext
+  include PF
+
+  def self.with_locals(locals)
+    new(locals).context
+  end
+
+  def initialize(locals)
+    @locals = locals
+  end
+
+  def context
+    binding.tap do |b|
+      Ryo.each(@locals) { |k,v| b.local_variable_set(k, v) }
+    end
+  end
+end
--- a/tasks.lib/pf.rb
+++ b/tasks.lib/pf.rb
@ -0,0 +1,21 @@
+##
+# frozen_string_literal: true
+
+module PF
+  def pf_in(rule)
+    [
+      rule.proto && "proto #{rule.proto}",
+      "from #{rule.from}",
+      "to #{rule.to}",
+      rule.port && "port #{rule.port}"
+    ].compact.join(" ")
+  end
+
+  def pf_out(rule)
+    [
+      rule.proto && "proto #{rule.proto}",
+      "to #{rule.to}",
+      rule.port && "port #{rule.port}"
+    ].compact.join(" ")
+  end
+end
--- a/tasks/config.rake
+++ b/tasks/config.rake
@ -0,0 +1,24 @@
+##
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "erb"
+require "ryo"
+require "yaml"
+require_relative "../tasks.lib/erb_context"
+
+read_options = ->(env:) do
+  path = File.join(Dir.getwd, "config", "#{env}.yml")
+  Ryo.from(YAML.load_file(path))
+end
+
+task "config:build", :env do |task, args|
+  options = read_options.call(**args)
+  context = ERBContext.with_locals(options)
+  glob = File.join(Dir.getwd, "config", args[:env], "etc", "*.conf.erb")
+  etc_files = Dir.glob(glob)
+  etc_files.each do |file|
+    File.binwrite File.join(File.dirname(file), File.basename(file, ".erb")),
+                  ERB.new(File.binread(file), trim_mode: "-").result(context)
+  end
+end