Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/crowdsec-blocklist-mirror: New port: CrowdSec Blocklist Mirror
ChangeLog: https://github.com/crowdsecurity/cs-blocklist-mirror This bouncer exposes CrowdSec's active decisions via provided HTTP endpoints in pre-defined formats. It can be used by network appliances which support consumption of blocklists via HTTP. PR: 268105 Reported by: marco@crowdsec.net
- Loading branch information
Showing
9 changed files
with
182 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
PORTNAME= crowdsec-blocklist-mirror | ||
DISTVERSIONPREFIX= v | ||
DISTVERSION= 0.0.1 | ||
CATEGORIES= security | ||
|
||
MAINTAINER= marco@crowdsec.net | ||
COMMENT= CrowdSec Blocklist Mirror | ||
WWW= https://github.com/crowdsecurity/cs-blocklist-mirror | ||
|
||
LICENSE= MIT | ||
LICENSE_FILE= ${WRKSRC}/LICENSE | ||
|
||
BUILD_DEPENDS= git:devel/git@lite | ||
|
||
USES= gmake go:1.19,no_targets | ||
|
||
USE_GITHUB= yes | ||
GH_ACCOUNT= crowdsecurity | ||
GH_PROJECT= cs-blocklist-mirror | ||
GH_TAGNAME= ${DISTVERSIONFULL}-freebsd | ||
_BUILD_TAG= 24a43080 | ||
USE_RC_SUBR= crowdsec_mirror | ||
|
||
MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \ | ||
BUILD_TAG="${_BUILD_TAG}" \ | ||
BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" | ||
|
||
ETCDIR= ${PREFIX}/etc/crowdsec/bouncers | ||
|
||
SUB_FILES= pkg-deinstall pkg-install pkg-message | ||
|
||
do-install: | ||
# | ||
# Binaries | ||
# | ||
|
||
${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-blocklist-mirror \ | ||
${STAGEDIR}${PREFIX}/bin/crowdsec-blocklist-mirror | ||
|
||
# | ||
# Configuration | ||
# | ||
|
||
@${MKDIR} ${STAGEDIR}${ETCDIR} | ||
${INSTALL_DATA} ${WRKSRC}/config/crowdsec-blocklist-mirror.yaml \ | ||
${STAGEDIR}${ETCDIR}/crowdsec-blocklist-mirror.yaml.sample | ||
|
||
.include <bsd.port.mk> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
TIMESTAMP = 1664462306 | ||
SHA256 (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = a3e35eb6bba0a5b34a2fd50fb7223378c6ac268311d2ebe7fefd0381bc39e7d5 | ||
SIZE (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = 2444802 |
73 changes: 73 additions & 0 deletions
73
security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
#!/bin/sh | ||
# | ||
# PROVIDE: crowdsec_mirror | ||
# REQUIRE: LOGIN DAEMON NETWORKING | ||
# KEYWORD: shutdown | ||
# | ||
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf | ||
# to enable this service: | ||
# | ||
# crowdsec_mirror_enable (bool): Set it to YES to enable the blocklist mirror. | ||
# Default is "NO" | ||
# crowdsec_mirror_config (str): Set the config path. | ||
# Default is "%%ETCDIR%%/crowdsec-blocklist-mirror.yaml" | ||
# crowdsec_mirror_flags (str): extra flags to run bouncer. | ||
# Default is "" | ||
|
||
. /etc/rc.subr | ||
|
||
name=crowdsec_mirror | ||
desc="Crowdsec Blocklist Mirror" | ||
rcvar=crowdsec_mirror_enable | ||
|
||
load_rc_config $name | ||
|
||
: "${crowdsec_mirror_enable:=NO}" | ||
: "${crowdsec_mirror_config:=%%ETCDIR%%/crowdsec-blocklist-mirror.yaml}" | ||
: "${crowdsec_mirror_flags:=}" | ||
|
||
pidfile=/var/run/${name}.pid | ||
required_files="$crowdsec_mirror_config" | ||
command="%%PREFIX%%/bin/crowdsec-blocklist-mirror" | ||
start_cmd="${name}_start" | ||
start_precmd="${name}_precmd" | ||
|
||
crowdsec_mirror_precmd() { | ||
CSCLI=%%PREFIX%%/bin/cscli | ||
orig_line="lapi_key: \${API_KEY}" | ||
# IF the bouncer is not configured | ||
if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then | ||
SUFFIX=$(jot -r -c 10 a z | rs -g0) | ||
BOUNCER="cs-blocklist-mirror-${SUFFIX}" | ||
# AND crowdsec is installed.. | ||
if command -v "$CSCLI" >/dev/null; then | ||
# THEN, register it to the local API | ||
API_KEY="$($CSCLI bouncers add "${BOUNCER}" -o raw)" | ||
if [ -n "$API_KEY" ]; then | ||
sed -i "" "s/${orig_line}/lapi_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_mirror_config}" | ||
echo "Registered: ${BOUNCER}" | ||
fi | ||
fi | ||
fi | ||
|
||
orig_line="lapi_url: \${CROWDSEC_LAPI_URL}" | ||
# IF the lapi endpoint is not configured | ||
if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then | ||
# AND crowdsec is installed.. | ||
if command -v "$CSCLI" >/dev/null; then | ||
# THEN, use the listen address | ||
CROWDSEC_LAPI_ENDPOINT="$($CSCLI config show --key Config.API.Server.ListenURI)" | ||
if [ -n "$CROWDSEC_LAPI_ENDPOINT" ]; then | ||
sed -i "" "s#${orig_line}#lapi_url: http://${CROWDSEC_LAPI_ENDPOINT}#" "${crowdsec_mirror_config}" | ||
echo "LAPI listen address set up." | ||
fi | ||
fi | ||
fi | ||
} | ||
|
||
crowdsec_mirror_start() { | ||
/usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ | ||
${command} -c "${crowdsec_mirror_config}" ${crowdsec_mirror_flags} | ||
} | ||
|
||
run_rc_command "$1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/sh | ||
|
||
case $2 in | ||
"DEINSTALL") | ||
service crowdsec_mirror status 2>/dev/null && touch /var/run/crowdsec_mirror.running | ||
service crowdsec_mirror stop 2>/dev/null || : | ||
;; | ||
esac | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/bin/sh | ||
|
||
case $2 in | ||
"POST-INSTALL") | ||
if [ -e /var/run/crowdsec_mirror.running ]; then | ||
service crowdsec_mirror start | ||
rm -f /var/run/crowdsec_mirror.running | ||
fi | ||
;; | ||
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
[ | ||
{ type: install | ||
message: <<EOM | ||
|
||
crowdsec-blocklist-mirror is installed. | ||
|
||
If you are running crowdsec on this machine, the bouncer will register itself with | ||
the Local API when it's started the first time. | ||
|
||
If the LAPI is on another machine, you need to manually register the bouncer | ||
and fill lapi_key and lapi_url in %%ETCDIR%%/crowdsec-blocklist-mirror.yaml before | ||
starting the service. | ||
|
||
Please refer to the documentation at | ||
https://docs.crowdsec.net/docs/bouncers/blocklist-mirror/ | ||
|
||
Then activate the bouncer via sysrc and run it: | ||
|
||
---------- | ||
# sysrc crowdsec_mirror_enable="YES" | ||
crowdsec_mirror_enable: NO -> YES | ||
# service crowdsec_mirror start | ||
---------- | ||
|
||
The blocklist is available by default at | ||
'http://127.0.0.1:41412/security/blocklist', check the configuration file to | ||
change address, endpoint or add some authentication. | ||
|
||
EOM | ||
} | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
CrowdSec Blocklist Mirror | ||
|
||
Publish CrowdSec decisions via HTTP, to be consumed by network appliances. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
@mode 0755 | ||
bin/crowdsec-blocklist-mirror | ||
@mode 0600 | ||
@sample %%ETCDIR%%/crowdsec-blocklist-mirror.yaml.sample |