From f5fa8d91fda59466d66ef5ae2334b41a71053d5d Mon Sep 17 00:00:00 2001 From: 0x1eef <0x1eef@protonmail.com> Date: Tue, 14 Mar 2023 18:24:33 -0300 Subject: [PATCH] Add rc.conf / pf configuration --- .gitignore | 2 ++ config/remote.yml.sample | 14 ++++++++++++++ config/remote/etc/pf.conf.erb | 8 ++++++++ config/remote/etc/rc.conf.erb | 21 +++++++++++++++++++++ tasks.lib/erb_context.rb | 22 ++++++++++++++++++++++ tasks.lib/pf.rb | 21 +++++++++++++++++++++ tasks/config.rake | 24 ++++++++++++++++++++++++ 7 files changed, 112 insertions(+) create mode 100644 config/remote.yml.sample create mode 100644 config/remote/etc/pf.conf.erb create mode 100644 config/remote/etc/rc.conf.erb create mode 100644 tasks.lib/erb_context.rb create mode 100644 tasks.lib/pf.rb create mode 100644 tasks/config.rake diff --git a/.gitignore b/.gitignore index 9251d9c..ff347e7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ node_modules/ *.log .env .idea +*.conf +*.yml diff --git a/config/remote.yml.sample b/config/remote.yml.sample new file mode 100644 index 0000000..0831570 --- /dev/null +++ b/config/remote.yml.sample @@ -0,0 +1,14 @@ +rc: + hostname: +pf: + iface: + pass: + in: + - from: any + to: + proto: tcp + port: 80 + out: + - to: + proto: + port: diff --git a/config/remote/etc/pf.conf.erb b/config/remote/etc/pf.conf.erb new file mode 100644 index 0000000..bf14278 --- /dev/null +++ b/config/remote/etc/pf.conf.erb @@ -0,0 +1,8 @@ +set skip on lo0 +block all +<% pf.pass.in.each do |rule| -%> +pass in on <%= pf.iface %> <%= pf_in(rule) %> +<% end -%> +<% pf.pass.out.each do |rule| -%> +pass out on <%= pf.iface %> <%= pf_out(rule) %> +<% end -%> diff --git a/config/remote/etc/rc.conf.erb b/config/remote/etc/rc.conf.erb new file mode 100644 index 0000000..6b93157 --- /dev/null +++ b/config/remote/etc/rc.conf.erb @@ -0,0 +1,21 @@ +## +# Hostname +hostname="<%= rc.hostname %>" + +## +# Firewall +pf_enable="YES" +pf_rules="/etc/pf.conf" +pflog_enable="YES" +pflog_file="/var/log/pflog" + +## +# Enabled services +sshd_enable="YES" +ntpd_enable="YES" +nginx_enable="YES" + +## +# Disabled services +sendmail_enable="NONE" +hostid_enable="NO" diff --git a/tasks.lib/erb_context.rb b/tasks.lib/erb_context.rb new file mode 100644 index 0000000..f5c4aa2 --- /dev/null +++ b/tasks.lib/erb_context.rb @@ -0,0 +1,22 @@ +## +# frozen_string_literals: true + +require_relative "pf" + +class ERBContext + include PF + + def self.with_locals(locals) + new(locals).context + end + + def initialize(locals) + @locals = locals + end + + def context + binding.tap do |b| + Ryo.each(@locals) { |k,v| b.local_variable_set(k, v) } + end + end +end diff --git a/tasks.lib/pf.rb b/tasks.lib/pf.rb new file mode 100644 index 0000000..972f73c --- /dev/null +++ b/tasks.lib/pf.rb @@ -0,0 +1,21 @@ +## +# frozen_string_literal: true + +module PF + def pf_in(rule) + [ + rule.proto && "proto #{rule.proto}", + "from #{rule.from}", + "to #{rule.to}", + rule.port && "port #{rule.port}" + ].compact.join(" ") + end + + def pf_out(rule) + [ + rule.proto && "proto #{rule.proto}", + "to #{rule.to}", + rule.port && "port #{rule.port}" + ].compact.join(" ") + end +end diff --git a/tasks/config.rake b/tasks/config.rake new file mode 100644 index 0000000..1353a3c --- /dev/null +++ b/tasks/config.rake @@ -0,0 +1,24 @@ +## +# frozen_string_literal: true + +require "bundler/setup" +require "erb" +require "ryo" +require "yaml" +require_relative "../tasks.lib/erb_context" + +read_options = ->(env:) do + path = File.join(Dir.getwd, "config", "#{env}.yml") + Ryo.from(YAML.load_file(path)) +end + +task "config:build", :env do |task, args| + options = read_options.call(**args) + context = ERBContext.with_locals(options) + glob = File.join(Dir.getwd, "config", args[:env], "etc", "*.conf.erb") + etc_files = Dir.glob(glob) + etc_files.each do |file| + File.binwrite File.join(File.dirname(file), File.basename(file, ".erb")), + ERB.new(File.binread(file), trim_mode: "-").result(context) + end +end