sysutils/zrepl: warn of impending SSL certificate expiration

Add a periodic script that will warn of impending certifiate expiration.

PR:		257464
Approved by:	dries (maintainer, ports)
Sponsored by:	Axcient

4 files changed, 57 insertions, 2 deletions

diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile
index ed56db478494..146f21339104 100644
--- a/sysutils/zrepl/Makefile
+++ b/sysutils/zrepl/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	zrepl
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.6.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 
 MAINTAINER=	driesm@FreeBSD.org
@@ -19,7 +19,7 @@ GO_BUILDFLAGS=	-ldflags "\
 		-s -w\
 		-X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}"
 
-SUB_FILES=	pkg-message
+SUB_FILES=	pkg-message 500.zrepl
 
 OPTIONS_DEFINE=		EXAMPLES MANPAGES
 OPTIONS_DEFAULT=	MANPAGES
@@ -40,6 +40,9 @@ post-install:
 	${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf
 	${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf
 	${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly
+	${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \
+		${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl
 
 post-install-EXAMPLES-on:
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks
diff --git a/sysutils/zrepl/files/500.zrepl.in b/sysutils/zrepl/files/500.zrepl.in
new file mode 100644
index 000000000000..b7f1b3abb4d3
--- /dev/null
+++ b/sysutils/zrepl/files/500.zrepl.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Check zrepl SSL certificates for impending expiration each week
+#
+# Add the following lines to /etc/periodic.conf:
+#
+# weekly_zrepl_enable (bool):	Set to "NO" by default
+# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+# 30 days in seconds
+: ${weekly_zrepl_warntime="2592000"}
+
+rc=0
+case "$weekly_zrepl_enable" in
+    [Yy][Ee][Ss])
+	echo
+	echo "Check Zrepl certificates for upcoming expiration:"
+
+	for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do
+		/usr/bin/openssl x509 --in "${cert}" \
+			-checkend "${weekly_zrepl_warntime}"
+
+		if [ $? -gt 0 ]; then
+			echo "${cert} will expire soon"
+			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
+			rc=3
+		fi
+	done
+	;;
+    *)  rc=0;;
+esac
+
+exit $rc
diff --git a/sysutils/zrepl/files/pkg-message.in b/sysutils/zrepl/files/pkg-message.in
index f01100004e97..9d0cc7020a45 100644
--- a/sysutils/zrepl/files/pkg-message.in
+++ b/sysutils/zrepl/files/pkg-message.in
@@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES:
 For any ZFS snapshot that you want to keep, at least one rule must match.
 This also applies to snapshots taken by means other than zrepl
 (e.g. snapshots taken manually or via boot environment tools).
+
+In order to automatically warn the operator of impending certificate
+expiration, add this line to /etc/periodic.conf:
+
+    weekly_zrepl_enable="YES"
+
+More config details in the zrepl periodic script:
+
+    %%LOCALBASE%%/etc/periodic/weekly/500.zrepl
+
 EOM
 }
 ]
diff --git a/sysutils/zrepl/pkg-plist b/sysutils/zrepl/pkg-plist
index c26b48a40cc9..a11961d1fa43 100644
--- a/sysutils/zrepl/pkg-plist
+++ b/sysutils/zrepl/pkg-plist
@@ -1,4 +1,5 @@
 bin/zrepl
+etc/periodic/weekly/500.zrepl
 @sample %%ETCDIR%%/zrepl.yml.sample
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml
 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json