add bundle:oidentd
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-03-21 17:40:58 +01:00
parent 6a6198c9b9
commit 28dd9694af
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 77 additions and 1 deletions

View file

@ -0,0 +1,29 @@
default {
default {
deny spoof
deny spoof_all
deny spoof_privport
deny random
deny random_numeric
deny numeric
deny hide
deny forward
}
}
user root {
default {
force reply "nobody"
}
}
% for user, allows in node.metadata.get('oidentd/allows', {}).items():
user ${user} {
default {
% for allow in sorted(allows):
allow ${allow}
% endfor
}
}
% endfor

17
bundles/oidentd/items.py Normal file
View file

@ -0,0 +1,17 @@
files = {
'/etc/oidentd.conf': {
'content_type': 'mako',
'triggers': {
'svc_systemd:oidentd:restart',
},
},
}
svc_systemd = {
'oidentd': {
'needs': {
'pkg_apt:oidentd',
'file:/etc/oidentd.conf',
},
},
}

View file

@ -0,0 +1,22 @@
from bundlewrap.metadata import atomic
defaults = {
'apt': {
'packages': {
'oidentd': {},
},
},
}
@metadata_reactor.provides(
'iptables/port_rules/113',
)
def iptables(metadata):
return {
'iptables': {
'port_rules': {
'113': atomic(metadata.get('oidentd/restrict-to', set('*'))),
},
},
}

View file

@ -11,6 +11,7 @@ nodes['htz.ex42-1048908'] = {
'miniflux', 'miniflux',
'mx-puppet-discord', 'mx-puppet-discord',
'nodejs', 'nodejs',
'oidentd',
'php', 'php',
'postfixadmin', 'postfixadmin',
'redis', 'redis',
@ -127,7 +128,6 @@ nodes['htz.ex42-1048908'] = {
'custom_rules': [ 'custom_rules': [
'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh 'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat 'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
'iptables_both -A INPUT -p tcp --dport 113 -j ACCEPT', # oidentd
# libvirt rules. These are also added by libvirt itself, # libvirt rules. These are also added by libvirt itself,
# but they would be overridden by our own iptables # but they would be overridden by our own iptables
@ -331,6 +331,14 @@ nodes['htz.ex42-1048908'] = {
}, },
'worker_processes': 4, 'worker_processes': 4,
}, },
'oidentd': {
'allows': {
'kunsi': {
'spoof',
'spoof_all',
},
},
},
'php': { 'php': {
'version': '7.4', 'version': '7.4',
'packages': { 'packages': {