From 28dd9694af2043e21460fe73e866fa219b36ed22 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 21 Mar 2021 17:40:58 +0100
Subject: [PATCH] add bundle:oidentd

---
 bundles/oidentd/files/oidentd.conf | 29 +++++++++++++++++++++++++++++
 bundles/oidentd/items.py           | 17 +++++++++++++++++
 bundles/oidentd/metadata.py        | 22 ++++++++++++++++++++++
 nodes/htz/ex42-1048908.py          | 10 +++++++++-
 4 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 bundles/oidentd/files/oidentd.conf
 create mode 100644 bundles/oidentd/items.py
 create mode 100644 bundles/oidentd/metadata.py

diff --git a/bundles/oidentd/files/oidentd.conf b/bundles/oidentd/files/oidentd.conf
new file mode 100644
index 0000000..c6015ef
--- /dev/null
+++ b/bundles/oidentd/files/oidentd.conf
@@ -0,0 +1,29 @@
+default {
+    default {
+        deny spoof
+        deny spoof_all
+        deny spoof_privport
+        deny random
+        deny random_numeric
+        deny numeric
+        deny hide
+        deny forward
+    }
+}
+
+user root {
+    default {
+        force reply "nobody"
+    }
+}
+
+% for user, allows in node.metadata.get('oidentd/allows', {}).items():
+user ${user} {
+    default {
+%   for allow in sorted(allows):
+        allow ${allow}
+%   endfor
+    }
+}
+
+% endfor
diff --git a/bundles/oidentd/items.py b/bundles/oidentd/items.py
new file mode 100644
index 0000000..2d1f412
--- /dev/null
+++ b/bundles/oidentd/items.py
@@ -0,0 +1,17 @@
+files = {
+    '/etc/oidentd.conf': {
+        'content_type': 'mako',
+        'triggers': {
+            'svc_systemd:oidentd:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'oidentd': {
+        'needs': {
+            'pkg_apt:oidentd',
+            'file:/etc/oidentd.conf',
+        },
+    },
+}
diff --git a/bundles/oidentd/metadata.py b/bundles/oidentd/metadata.py
new file mode 100644
index 0000000..d17952e
--- /dev/null
+++ b/bundles/oidentd/metadata.py
@@ -0,0 +1,22 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'oidentd': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules/113',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '113': atomic(metadata.get('oidentd/restrict-to', set('*'))),
+            },
+        },
+    }
diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py
index eb86b89..f2ae4a1 100644
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@@ -11,6 +11,7 @@ nodes['htz.ex42-1048908'] = {
         'miniflux',
         'mx-puppet-discord',
         'nodejs',
+        'oidentd',
         'php',
         'postfixadmin',
         'redis',
@@ -127,7 +128,6 @@ nodes['htz.ex42-1048908'] = {
             'custom_rules': [
                 'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
                 'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
-                'iptables_both -A INPUT -p tcp --dport 113 -j ACCEPT', # oidentd
 
                 # libvirt rules. These are also added by libvirt itself,
                 # but they would be overridden by our own iptables
@@ -331,6 +331,14 @@ nodes['htz.ex42-1048908'] = {
             },
             'worker_processes': 4,
         },
+        'oidentd': {
+            'allows': {
+                'kunsi': {
+                    'spoof',
+                    'spoof_all',
+                },
+            },
+        },
         'php': {
             'version': '7.4',
             'packages': {