security/certspotter: Add new port

Cert Spotter is a Certificate Transparency log monitor from SSLMate
that alerts you when an SSL/TLS certificate is issued for one of your
domains. Cert Spotter is easier to use than other open source CT
monitors, since it does not require a database. It's also more robust,
since it uses a special certificate parser that ensures it won't miss
certificates.

8 files changed, 93 insertions, 2 deletions

diff --git a/GIDs b/GIDs
index cf53657bdd4f..a2e872ae22ab 100644
--- a/GIDs
+++ b/GIDs
@@ -269,7 +269,7 @@ dkfilter:*:325:
 smfs:*:326:
 _reticulum:*:327:
 galene:*:328:
-# free: 329
+certspotter:*:329:
 orthanc:*:330:
 # free: 331
 # free: 332
diff --git a/UIDs b/UIDs
index d81e56e33c98..f0522ea3f17c 100644
--- a/UIDs
+++ b/UIDs
@@ -274,7 +274,7 @@ dkfilter:*:325:325::0:0:DK Filter Owner:/nonexistent:/usr/sbin/nologin
 smfs:*:326:326::0:0:SMFSAV Owner:/nonexistent:/usr/sbin/nologin
 _reticulum:*:327:327::0:0:Reticulum Daemon:/nonexistent:/usr/sbin/nologin
 galene:*:328:328::0:0:Galene Visioconference server:/nonexistent:/usr/sbin/nologin
-# free: 329
+certspotter:*:329:329::0:0:Cert Spotter user:/nonexistent:/usr/sbin/nologin
 orthanc:*:330:330::0:0:Orthanc Daemon:/nonexistent:/usr/sbin/nologin
 # free: 331
 # free: 332
diff --git a/security/Makefile b/security/Makefile
index 99ec5c3a1f7b..c5b64253fdfa 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -74,6 +74,7 @@
     SUBDIR += ccrypt
     SUBDIR += ccsrch
     SUBDIR += certmgr
+    SUBDIR += certspotter
     SUBDIR += cfs
     SUBDIR += cfssl
     SUBDIR += cfv
diff --git a/security/certspotter/Makefile b/security/certspotter/Makefile
new file mode 100644
index 000000000000..fa65f32f417d
--- /dev/null
+++ b/security/certspotter/Makefile
@@ -0,0 +1,35 @@
+PORTNAME=	certspotter
+DISTVERSIONPREFIX=	v
+DISTVERSION=	0.18.0
+CATEGORIES=	security www
+
+MAINTAINER=	flo@FreeBSD.org
+COMMENT=	Certificate Transparency Monitor
+WWW=		https://github.com/SSLMate/certspotter
+
+LICENSE=	MPL20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		go:1.21,modules
+USE_RC_SUBR=	certspotter
+GO_MODULE=	software.sslmate.com/src/certspotter
+GO_TARGET=	./cmd/${PORTNAME}:${PREFIX}/sbin/${PORTNAME}
+
+CERTSPOTTER_USER?=	certspotter
+CERTSPOTTER_GROUP?=	certspotter
+
+SUB_LIST+=	CERTSPOTTER_GROUP=${CERTSPOTTER_GROUP} \
+		CERTSPOTTER_USER=${CERTSPOTTER_USER}
+
+USERS=		${CERTSPOTTER_USER}
+GROUPS=		${CERTSPOTTER_GROUP}
+
+PLIST_SUB+=	CERTSPOTTER_GROUP=${CERTSPOTTER_GROUP} \
+		CERTSPOTTER_USER=${CERTSPOTTER_USER}
+
+pre-install:
+	@${MKDIR} ${STAGEDIR}/var/db/${PORTNAME}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}
+	@${ECHO_CMD} "example.org" > ${STAGEDIR}${PREFIX}/etc/${PORTNAME}/watchlist.sample
+	@${MKDIR} ${STAGEDIR}/var/run/${PORTNAME}
+.include <bsd.port.mk>
diff --git a/security/certspotter/distinfo b/security/certspotter/distinfo
new file mode 100644
index 000000000000..d7a980228c6e
--- /dev/null
+++ b/security/certspotter/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1706474827
+SHA256 (go/security_certspotter/certspotter-v0.18.0/v0.18.0.mod) = 7999f3e078b45dae94b4b4b34bee2dda107e3a23bff847f54b584d0ce3bb549d
+SIZE (go/security_certspotter/certspotter-v0.18.0/v0.18.0.mod) = 165
+SHA256 (go/security_certspotter/certspotter-v0.18.0/v0.18.0.zip) = cd52b973de3ee04cbf5ced8eb87c6634185e77ad2bf4da756a4c72b9881f2c59
+SIZE (go/security_certspotter/certspotter-v0.18.0/v0.18.0.zip) = 89899
diff --git a/security/certspotter/files/certspotter.in b/security/certspotter/files/certspotter.in
new file mode 100644
index 000000000000..f22d334d210d
--- /dev/null
+++ b/security/certspotter/files/certspotter.in
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# PROVIDE: certspotter
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add these lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# certspotter_enable (bool):	Set to YES to enable certspotter.
+#				Set to NO by default.
+# certspotter_statedir (path):	State dir. Set to /var/db/certspotter
+#				by default.
+# certspotter_watchlist (path):	File listing the monitored domains.
+#				Set to %%ETCIDIR%%/watchlist by default.
+# certspotter_email (string):	The email address notifications will be
+#				sent to. Set to root by default.
+# certspotter_user (string):	The user account used to run the daemon.
+#				Default: %%CERTSPOTTER_USER%%
+
+. /etc/rc.subr
+
+name=certspotter
+rcvar=certspotter_enable
+
+load_rc_config $name
+
+: ${certspotter_enable:="NO"}
+: ${certspotter_statedir="/var/db/certspotter"}
+: ${certspotter_watchlist="%%ETCDIR%%/watchlist"}
+: ${certspotter_user:="%%CERTSPOTTER_USER%%"}
+: ${certspotter_email:="root"}
+
+pidfile=/var/run/certspotter/${name}.pid
+command=%%PREFIX%%/sbin/certspotter
+start_cmd="certspotter_start"
+
+certspotter_start()
+{
+        echo "Starting ${name}."
+        /usr/sbin/daemon -c -f -p ${pidfile} -u ${certspotter_user} %%PREFIX%%/sbin/certspotter -state_dir $certspotter_statedir -watchlist $certspotter_watchlist -email $certspotter_email -start_at_end
+}
+
+run_rc_command "$1"
diff --git a/security/certspotter/pkg-descr b/security/certspotter/pkg-descr
new file mode 100644
index 000000000000..007655649d98
--- /dev/null
+++ b/security/certspotter/pkg-descr
@@ -0,0 +1,2 @@
+Cert Spotter is a Certificate Transparency log monitor from SSLMate that
+alerts you when an SSL/TLS certificate is issued for one of your domains.
diff --git a/security/certspotter/pkg-plist b/security/certspotter/pkg-plist
new file mode 100644
index 000000000000..0544303c9f5d
--- /dev/null
+++ b/security/certspotter/pkg-plist
@@ -0,0 +1,4 @@
+sbin/certspotter
+@sample etc/certspotter/watchlist.sample
+@dir(%%CERTSPOTTER_USER%%,%%CERTSPOTTER_GROUP%%,700) /var/db/certspotter
+@dir(%%CERTSPOTTER_USER%%,%%CERTSPOTTER_GROUP%%,0775) /var/run/certspotter