From 99b8524c16cc99ceeaf1ebf588f2fc0f2c0fbe0a Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Sat, 12 Oct 2024 08:14:59 -0400 Subject: add a bunch of hostclasses --- .../dovecot/sieve-pipe/report-ham.sh.imap_server | 12 +++-- .../dovecot/sieve-pipe/report-spam.sh.imap_server | 12 +++-- .../local/libexec/idm-ssh-authorized-keys.common | 8 ++-- files/usr/local/libexec/idm-ssh-known-hosts.common | 4 +- .../local/libexec/prosody-acme-proxy.xmpp_server | 54 ++++++++++++++++++++++ .../libexec/prosody-update-roster.xmpp_server | 47 +++++++++++++++++++ 6 files changed, 123 insertions(+), 14 deletions(-) create mode 100644 files/usr/local/libexec/prosody-acme-proxy.xmpp_server create mode 100644 files/usr/local/libexec/prosody-update-roster.xmpp_server (limited to 'files/usr/local/libexec') diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server index e09674a..b5b0d2d 100644 --- a/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-ham.sh.imap_server @@ -1,7 +1,11 @@ #!/bin/sh -exec /usr/local/bin/rspamc \\ - --connect="${rspamd_host}.${domain}" \\ - --password="${rspamd_rw_password}" \\ - --key="${rspamd_pubkey}" \\ +set -e + +. /usr/local/etc/dovecot/rspamd.conf.sh + +exec /usr/local/bin/rspamc \ + --connect="$RSPAMD_HOST" \ + --password="$RSPAMD_PASSWORD" \ + --key="$RSPAMD_KEY" \ learn_ham diff --git a/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server index 825113f..ec46319 100644 --- a/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server +++ b/files/usr/local/libexec/dovecot/sieve-pipe/report-spam.sh.imap_server @@ -1,7 +1,11 @@ #!/bin/sh -exec /usr/local/bin/rspamc \\ - --connect="${rspamd_host}.${domain}" \\ - --password="${rspamd_rw_password}" \\ - --key="${rspamd_pubkey}" \\ +set -e + +. /usr/local/etc/dovecot/rspamd.conf.sh + +exec /usr/local/bin/rspamc \ + --connect="$RSPAMD_HOST" \ + --password="$RSPAMD_PASSWORD" \ + --key="$RSPAMD_KEY" \ learn_spam diff --git a/files/usr/local/libexec/idm-ssh-authorized-keys.common b/files/usr/local/libexec/idm-ssh-authorized-keys.common index 89d2f20..ef7ba3c 100644 --- a/files/usr/local/libexec/idm-ssh-authorized-keys.common +++ b/files/usr/local/libexec/idm-ssh-authorized-keys.common @@ -7,7 +7,7 @@ use Net::LDAP; use Net::LDAP::Util qw(escape_filter_value); use Authen::SASL; -open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!); +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!); my %config; while (<$fh>) { chomp; @@ -18,9 +18,9 @@ while (<$fh>) { } close($fh); -my $mech = $config{SASL_MECH} // 'GSSAPI'; -my $uri = $config{URI} // quit('URI not specified'); -my $basedn = $config{USERS_BASE} // quit('USERS_BASE not specified'); +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); @ARGV == 1 or die "usage: $0 USERNAME\n"; my $username = $ARGV[0]; diff --git a/files/usr/local/libexec/idm-ssh-known-hosts.common b/files/usr/local/libexec/idm-ssh-known-hosts.common index 5b784d6..3bbcf65 100644 --- a/files/usr/local/libexec/idm-ssh-known-hosts.common +++ b/files/usr/local/libexec/idm-ssh-known-hosts.common @@ -29,8 +29,8 @@ while (<$fh>) { } close($fh); -my $mech = $config{SASL_MECH} // 'GSSAPI'; -my $uri = $config{URI} // quit('URI not specified'); +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // quit('URI not specified'); my $basedn = $config{HOSTS_BASE} // quit('HOSTS_BASE not specified'); my $conn = Net::LDAP->new($uri, version => '3') or quit($@); diff --git a/files/usr/local/libexec/prosody-acme-proxy.xmpp_server b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server new file mode 100644 index 0000000..d69017b --- /dev/null +++ b/files/usr/local/libexec/prosody-acme-proxy.xmpp_server @@ -0,0 +1,54 @@ +#!/bin/sh + +# Retrieves ACME certificates from a different host over SFTP. +# Reloads prosody if any certificates were changed. + +set -eu -o pipefail + +PROSODY_USER=prosody +CERT_DIR=/usr/local/etc/prosody/certs +CHECKSUM_FILE="${CERT_DIR}/certs.md5" + +prog=$(basename "$(readlink -f "$0")") +usage="${prog} [-q] USER@TARGET_HOST DOMAIN..." + +usage(){ + printf 'usage: %s\n' "$usage" 1>&2 + exit 2 +} + +while getopts hq opt; do + case $opt in + h) usage ;; + q) exec 1>/dev/null ;; + esac +done +shift $((OPTIND - 1)) + +[ $# -ge 2 ] || usage +acmeproxy_target=$1; shift + +# Get md5 of any existing certificates. +touch "$CHECKSUM_FILE" +md5_old=$(cat "$CHECKSUM_FILE") + +# Retrieve certs from the proxy host via SFTP. +{ printf 'lcd %s\n' "$CERT_DIR" + printf 'get certs/%s.crt\n' "$@" + printf 'get certs/%s.key\n' "$@" + printf 'quit\n' +} | sftp -b - "$acmeproxy_target" + +# Get md5 of the new certificates. +md5_new=$(md5sum "$CERT_DIR"/*.crt "$CERT_DIR"/*.key | tee "$CHECKSUM_FILE") + +# If any certificates differ, reload prosody. +if [ "$md5_old" != "$md5_new" ]; then + if prosodyctl status >/dev/null 2>&1; then + prosodyctl reload + else + echo 'prosody not running, not reloading' + fi +else + echo 'certificates unchanged' +fi diff --git a/files/usr/local/libexec/prosody-update-roster.xmpp_server b/files/usr/local/libexec/prosody-update-roster.xmpp_server new file mode 100644 index 0000000..1b79747 --- /dev/null +++ b/files/usr/local/libexec/prosody-update-roster.xmpp_server @@ -0,0 +1,47 @@ +#!/usr/local/bin/perl + +use strict; +use warnings; + +use Net::LDAP; +use Authen::SASL; + +@ARGV == 1 or die "usage: $0 ROLE_NAME\n"; +my $role = $ARGV[0]; + +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or quit($!); +my %config; +while (<$fh>) { + chomp; + next if /^#/; + my @pair = split(' ', $_, 2); + next unless (@pair == 2); + $config{$pair[0]} = $pair[1]; +} +close($fh); + +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $users_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); +my $roles_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n"); + +my $conn = Net::LDAP->new($ldap_uris, version => '3') or die "$@"; +my $sasl = Authen::SASL->new($mech); +my $status = $conn->bind(sasl => $sasl); +$status->code and die $status->error; + +my $search = $conn->search( + scope => 'sub', + base => $users_basedn, + filter => "(&(memberOf=cn=$role,$roles_basedn)(mailAddress=*))", + attrs => ['mailAddress', 'cn']); + +print "[Internal]\n"; + +foreach my $entry ($search->entries) { + my $jid = ($entry->get_value('mailAddress'))[0]; + my $cn = ($entry->get_value('cn'))[0] // $jid; + print "$jid=$cn\n"; +} + +system('prosodyctl reload'); -- cgit v1.2.3