add bundle:oidentd

2021-03-21 17:40:58 +01:00 · 2021-03-21 17:40:58 +01:00 · 28dd9694af
commit 28dd9694af
parent 6a6198c9b9
4 changed files with 77 additions and 1 deletions
--- a/bundles/oidentd/files/oidentd.conf
+++ b/bundles/oidentd/files/oidentd.conf
@ -0,0 +1,29 @@
+default {
+    default {
+        deny spoof
+        deny spoof_all
+        deny spoof_privport
+        deny random
+        deny random_numeric
+        deny numeric
+        deny hide
+        deny forward
+    }
+}
+
+user root {
+    default {
+        force reply "nobody"
+    }
+}
+
+% for user, allows in node.metadata.get('oidentd/allows', {}).items():
+user ${user} {
+    default {
+%   for allow in sorted(allows):
+        allow ${allow}
+%   endfor
+    }
+}
+
+% endfor
--- a/bundles/oidentd/items.py
+++ b/bundles/oidentd/items.py
@ -0,0 +1,17 @@
+files = {
+    '/etc/oidentd.conf': {
+        'content_type': 'mako',
+        'triggers': {
+            'svc_systemd:oidentd:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'oidentd': {
+        'needs': {
+            'pkg_apt:oidentd',
+            'file:/etc/oidentd.conf',
+        },
+    },
+}
--- a/bundles/oidentd/metadata.py
+++ b/bundles/oidentd/metadata.py
@ -0,0 +1,22 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'oidentd': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules/113',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '113': atomic(metadata.get('oidentd/restrict-to', set('*'))),
+            },
+        },
+    }
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@ -11,6 +11,7 @@ nodes['htz.ex42-1048908'] = {
        'miniflux',
        'mx-puppet-discord',
        'nodejs',
+        'oidentd',
        'php',
        'postfixadmin',
        'redis',
@ -127,7 +128,6 @@ nodes['htz.ex42-1048908'] = {
            'custom_rules': [
                'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
                'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
-                'iptables_both -A INPUT -p tcp --dport 113 -j ACCEPT', # oidentd

                # libvirt rules. These are also added by libvirt itself,
                # but they would be overridden by our own iptables
@ -331,6 +331,14 @@ nodes['htz.ex42-1048908'] = {
            },
            'worker_processes': 4,
        },
+        'oidentd': {
+            'allows': {
+                'kunsi': {
+                    'spoof',
+                    'spoof_all',
+                },
+            },
+        },
        'php': {
            'version': '7.4',
            'packages': {