security/crowdsec-blocklist-mirror: New port: CrowdSec Blocklist Mirror

ChangeLog: https://github.com/crowdsecurity/cs-blocklist-mirror This bouncer exposes CrowdSec's active decisions via provided HTTP endpoints in pre-defined formats. It can be used by network appliances which support consumption of blocklists via HTTP. PR: 268105 Reported by: marco@crowdsec.net
freebsd · Dec 16, 2022 · 4fde381 · 4fde381
1 parent 0826ff5
commit 4fde381
Show file tree

Hide file tree

Showing 9 changed files with 182 additions and 0 deletions.
diff --git a/security/Makefile b/security/Makefile
@@ -103,6 +103,7 @@
     SUBDIR += create-cert
     SUBDIR += crlfuzz
     SUBDIR += crowdsec
+    SUBDIR += crowdsec-blocklist-mirror
     SUBDIR += crowdsec-firewall-bouncer
     SUBDIR += cryptlib
     SUBDIR += cryptopp

diff --git a/security/crowdsec-blocklist-mirror/Makefile b/security/crowdsec-blocklist-mirror/Makefile
@@ -0,0 +1,48 @@
+PORTNAME=	crowdsec-blocklist-mirror
+DISTVERSIONPREFIX=	v
+DISTVERSION=	0.0.1
+CATEGORIES=	security
+
+MAINTAINER=	marco@crowdsec.net
+COMMENT=	CrowdSec Blocklist Mirror
+WWW=		https://github.com/crowdsecurity/cs-blocklist-mirror
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+BUILD_DEPENDS=	git:devel/git@lite
+
+USES=		gmake go:1.19,no_targets
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	crowdsecurity
+GH_PROJECT=	cs-blocklist-mirror
+GH_TAGNAME=	${DISTVERSIONFULL}-freebsd
+_BUILD_TAG=	24a43080
+USE_RC_SUBR=	crowdsec_mirror
+
+MAKE_ARGS=	BUILD_VERSION="${DISTVERSIONFULL}" \
+		BUILD_TAG="${_BUILD_TAG}" \
+		BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw"
+
+ETCDIR=		${PREFIX}/etc/crowdsec/bouncers
+
+SUB_FILES=	pkg-deinstall pkg-install pkg-message
+
+do-install:
+	#
+	# Binaries
+	#
+
+	${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-blocklist-mirror \
+		${STAGEDIR}${PREFIX}/bin/crowdsec-blocklist-mirror
+
+	#
+	# Configuration
+	#
+
+	@${MKDIR} ${STAGEDIR}${ETCDIR}
+	${INSTALL_DATA} ${WRKSRC}/config/crowdsec-blocklist-mirror.yaml \
+		${STAGEDIR}${ETCDIR}/crowdsec-blocklist-mirror.yaml.sample
+
+.include <bsd.port.mk>
diff --git a/security/crowdsec-blocklist-mirror/distinfo b/security/crowdsec-blocklist-mirror/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1664462306
+SHA256 (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = a3e35eb6bba0a5b34a2fd50fb7223378c6ac268311d2ebe7fefd0381bc39e7d5
+SIZE (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = 2444802
diff --git a/security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in b/security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# PROVIDE: crowdsec_mirror
+# REQUIRE: LOGIN DAEMON NETWORKING
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# crowdsec_mirror_enable (bool):	Set it to YES to enable the blocklist mirror.
+#					Default is "NO"
+# crowdsec_mirror_config (str):		Set the config path.
+#					Default is "%%ETCDIR%%/crowdsec-blocklist-mirror.yaml"
+# crowdsec_mirror_flags (str):		extra flags to run bouncer.
+#					Default is ""
+
+. /etc/rc.subr
+
+name=crowdsec_mirror
+desc="Crowdsec Blocklist Mirror"
+rcvar=crowdsec_mirror_enable
+
+load_rc_config $name
+
+: "${crowdsec_mirror_enable:=NO}"
+: "${crowdsec_mirror_config:=%%ETCDIR%%/crowdsec-blocklist-mirror.yaml}"
+: "${crowdsec_mirror_flags:=}"
+
+pidfile=/var/run/${name}.pid
+required_files="$crowdsec_mirror_config"
+command="%%PREFIX%%/bin/crowdsec-blocklist-mirror"
+start_cmd="${name}_start"
+start_precmd="${name}_precmd"
+
+crowdsec_mirror_precmd() {
+    CSCLI=%%PREFIX%%/bin/cscli
+    orig_line="lapi_key: \${API_KEY}"
+    # IF the bouncer is not configured
+    if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then
+        SUFFIX=$(jot -r -c 10 a z | rs -g0)
+        BOUNCER="cs-blocklist-mirror-${SUFFIX}"
+        # AND crowdsec is installed..
+        if command -v "$CSCLI" >/dev/null; then
+            # THEN, register it to the local API
+            API_KEY="$($CSCLI bouncers add "${BOUNCER}" -o raw)"
+            if [ -n "$API_KEY" ]; then
+                sed -i "" "s/${orig_line}/lapi_key: ${API_KEY}     # ${BOUNCER}/" "${crowdsec_mirror_config}"
+                echo "Registered: ${BOUNCER}"
+            fi
+        fi
+    fi
+
+    orig_line="lapi_url: \${CROWDSEC_LAPI_URL}"
+    # IF the lapi endpoint is not configured
+    if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then
+        # AND crowdsec is installed..
+        if command -v "$CSCLI" >/dev/null; then
+            # THEN, use the listen address
+            CROWDSEC_LAPI_ENDPOINT="$($CSCLI config show --key Config.API.Server.ListenURI)"
+            if [ -n "$CROWDSEC_LAPI_ENDPOINT" ]; then
+                sed -i "" "s#${orig_line}#lapi_url: http://${CROWDSEC_LAPI_ENDPOINT}#" "${crowdsec_mirror_config}"
+                echo "LAPI listen address set up."
+            fi
+        fi
+    fi
+}
+
+crowdsec_mirror_start() {
+    /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
+        ${command} -c "${crowdsec_mirror_config}" ${crowdsec_mirror_flags}
+}
+
+run_rc_command "$1"
diff --git a/security/crowdsec-blocklist-mirror/files/pkg-deinstall.in b/security/crowdsec-blocklist-mirror/files/pkg-deinstall.in
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+case $2 in
+       "DEINSTALL")
+               service crowdsec_mirror status 2>/dev/null && touch /var/run/crowdsec_mirror.running
+               service crowdsec_mirror stop 2>/dev/null || :
+               ;;
+esac
+
diff --git a/security/crowdsec-blocklist-mirror/files/pkg-install.in b/security/crowdsec-blocklist-mirror/files/pkg-install.in
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+case $2 in
+        "POST-INSTALL")
+                if [ -e /var/run/crowdsec_mirror.running ]; then
+                        service crowdsec_mirror start
+                        rm -f /var/run/crowdsec_mirror.running
+                fi
+                ;;
+esac
diff --git a/security/crowdsec-blocklist-mirror/files/pkg-message.in b/security/crowdsec-blocklist-mirror/files/pkg-message.in
@@ -0,0 +1,31 @@
+[
+{ type: install
+  message: <<EOM
+
+crowdsec-blocklist-mirror is installed.
+
+If you are running crowdsec on this machine, the bouncer will register itself with
+the Local API when it's started the first time.
+
+If the LAPI is on another machine, you need to manually register the bouncer
+and fill lapi_key and lapi_url in %%ETCDIR%%/crowdsec-blocklist-mirror.yaml before
+starting the service.
+
+Please refer to the documentation at
+https://docs.crowdsec.net/docs/bouncers/blocklist-mirror/
+
+Then activate the bouncer via sysrc and run it:
+
+----------
+# sysrc crowdsec_mirror_enable="YES"
+crowdsec_mirror_enable: NO -> YES
+# service crowdsec_mirror start
+----------
+
+The blocklist is available by default at
+'http://127.0.0.1:41412/security/blocklist', check the configuration file to
+change address, endpoint or add some authentication.
+
+EOM
+}
+]
diff --git a/security/crowdsec-blocklist-mirror/pkg-descr b/security/crowdsec-blocklist-mirror/pkg-descr
@@ -0,0 +1,3 @@
+CrowdSec Blocklist Mirror
+
+Publish CrowdSec decisions via HTTP, to be consumed by network appliances.
diff --git a/security/crowdsec-blocklist-mirror/pkg-plist b/security/crowdsec-blocklist-mirror/pkg-plist
@@ -0,0 +1,4 @@
+@mode 0755
+bin/crowdsec-blocklist-mirror
+@mode 0600
+@sample %%ETCDIR%%/crowdsec-blocklist-mirror.yaml.sample