Pf readable (#573)

- wildduck: make pf rules more self-documenting - dovecot: make pf rules more self-documenting - mt: install jail.conf file with store_config, so theres a .mt6 laying nearby - zonemta: add update support
msimerson · Sep 9, 2024 · aff92c4 · aff92c4
1 parent 187c4b5
commit aff92c4
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 33 deletions.
diff --git a/mail-toaster.sh b/mail-toaster.sh
@@ -483,14 +483,7 @@ get_safe_jail_path()
 
 add_jail_conf_d()
 {
-	_safe_path="/etc/jail.conf.d/$(safe_jailname $1).conf"
-	if [ -f "/etc/jail.conf.d/$1.conf" ]; then
-		tell_status "preserving jail config $_safe_path"
-		return
-	fi
-
-	tell_status "creating $_safe_path"
-	tee "$_safe_path" <<EO_JAIL_RC
+	store_config "/etc/jail.conf.d/$(safe_jailname $1).conf" <<EO_JAIL_RC
 $(jail_conf_header)
 
 $(safe_jailname $1)	{$(get_safe_jail_path $1)

diff --git a/provision/base.sh b/provision/base.sh
@@ -246,7 +246,6 @@ security_show_success="NO"
 security_show_info="NO"
 security_status_pkgaudit_enable="NO"
 security_status_pkgaudit_quiet="YES"
-security_status_tcpwrap_enable="YES"
 daily_status_security_inline="NO"
 weekly_status_security_inline="NO"
 monthly_status_security_inline="NO"

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
@@ -528,20 +528,29 @@ configure_dovecot_pf()
 EO_PF_INSECURE
 
 	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
+int_ip4 = "$(get_jail_ip dovecot)"
+int_ip6 = "$(get_jail_ip6 dovecot)"
+
 # to permit legacy users to access insecure POP3 & IMAP, add their IPs/masks
 table <insecure_mua> persist file "$_pf_etc/insecure_mua"
 
-rdr inet  proto tcp from any to <ext_ip4> port { 993 995 } -> $(get_jail_ip  dovecot)
-rdr inet6 proto tcp from any to <ext_ip6> port { 993 995 } -> $(get_jail_ip6 dovecot)
+rdr inet  proto tcp from any to <ext_ip4> port { 993 995 } -> $int_ip4
+rdr inet6 proto tcp from any to <ext_ip6> port { 993 995 } -> $int_ip6
 
-rdr inet  proto tcp from <insecure_mua> to <ext_ip4> port { 110 143 } -> $(get_jail_ip  dovecot)
-rdr inet6 proto tcp from <insecure_mua> to <ext_ip6> port { 110 143 } -> $(get_jail_ip6 dovecot)
+rdr inet  proto tcp from <insecure_mua> to <ext_ip4> port { 110 143 } -> $int_ip4
+rdr inet6 proto tcp from <insecure_mua> to <ext_ip6> port { 110 143 } -> $int_ip6
 EO_PF_RDR
 
 	store_config "$_pf_etc/allow.conf" <<EO_PF_RDR
-mua_ports = "{ 110 143 993 995 }"
-table <mua_servers> persist { \$ext_ip4 \$ext_ip6 $(get_jail_ip dovecot) $(get_jail_ip6 dovecot) }
-pass in quick proto tcp from any to <mua_servers> port \$mua_ports
+int_ip4 = "$(get_jail_ip dovecot)"
+int_ip6 = "$(get_jail_ip6 dovecot)"
+
+table <dovecot_int> persist { \$int_ip4, \$int_ip6 }
+
+pass in quick proto tcp from any to <ext_ip> port { 993 995 }
+pass in quick proto tcp from any to <dovecot_int> port { 993 995 }
+
+pass in quick proto tcp from <insecure_mua> to <dovecot_int> port { 110 143 }
 EO_PF_RDR
 }
 

diff --git a/provision/host.sh b/provision/host.sh
@@ -332,7 +332,7 @@ ext_if="$PUBLIC_NIC"
 ext_ip4="$PUBLIC_IP4"
 ext_ip6="$PUBLIC_IP6"
 
-table <ext_ip>  { \$ext_ip4 \$ext_ip6 } persist
+table <ext_ip>  { \$ext_ip4, \$ext_ip6 } persist
 table <ext_ip4> { \$ext_ip4 } persist
 table <ext_ip6> { \$ext_ip6 } persist
 

diff --git a/provision/wildduck.sh b/provision/wildduck.sh
@@ -30,7 +30,8 @@ install_webmail()
 	else
 		tell_status "updating wildduck webmail"
 		stage_exec bash -c "cd /data/webmail && git pull && npm install && npm run bowerdeps"
-		stage_exec bash -c "cd /data/webmail && mkdir -p public/components && bower install --allow-root"
+		stage_exec bash -c "cd /data/webmail && mkdir -p public/components"
+		stage_exec bash -c "cd /data/webmail && npx bower install --allow-root"
 	fi
 }
 
@@ -56,16 +57,21 @@ configure_pf()
 	_pf_etc="$ZFS_DATA_MNT/wildduck/etc/pf.conf.d"
 
 	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
-rdr inet  proto tcp from any to <ext_ip4> port 993 -> $(get_jail_ip wildduck) port 9993
-rdr inet  proto tcp from any to <ext_ip4> port 995 -> $(get_jail_ip wildduck) port 9995
-rdr inet6 proto tcp from any to <ext_ip6> port 993 -> $(get_jail_ip6 wildduck) port 9993
-rdr inet6 proto tcp from any to <ext_ip6> port 995 -> $(get_jail_ip6 wildduck) port 9995
+int_ip4 = "$(get_jail_ip wildduck)"
+int_ip6 = "$(get_jail_ip6 wildduck)"
+
+rdr inet  proto tcp from any to <ext_ip4> port { 3000 9993 9995 } -> $int_ip4
+rdr inet6 proto tcp from any to <ext_ip6> port { 3000 9993 9995 } -> $int_ip6
 EO_PF_RDR
 
 	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
-mua_ports = "{ 993 995 9993 9995 }"
-table <mua_servers> persist { \$ext_ip4 \$ext_ip6 $(get_jail_ip wildduck), $(get_jail_ip6 wildduck) }
-pass in quick proto tcp from any to <mua_servers> port \$mua_ports
+int_ip4 = "$(get_jail_ip wildduck)"
+int_ip6 = "$(get_jail_ip6 wildduck)"
+
+table <wildduck_int> persist { \$int_ip4, \$int_ip6 }
+
+pass in quick proto tcp from any to <ext_ip> port { 3000 9993 9995 }
+pass in quick proto tcp from any to <wildduck_int> port { 3000 9993 9995 }
 EO_PF_ALLOW
 }
 

diff --git a/provision/zonemta.sh b/provision/zonemta.sh
@@ -11,8 +11,12 @@ export JAIL_FSTAB=""
 install_zonemta_webadmin()
 {
 	tell_status "installing ZoneMTA webadmin"
-	stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zmta-webadmin.git admin"
-	stage_exec bash -c "cd /data/admin && npm install --production"
+	if [ ! -e "$STAGE_MNT/data/admin" ]; then
+		stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zmta-webadmin.git admin"
+		stage_exec bash -c "cd /data/admin && npm install --production"
+	else
+		stage_exec bash -c "cd /data/admin && git pull && npm install --production"
+	fi
 
 	sed -i '' \
 		-e "/^mongo/ s/127.0.0.1/$(get_jail_ip mongodb)/" \
@@ -27,11 +31,15 @@ install_zonemta()
 	stage_pkg_install npm-node20 git-tiny
 
 	tell_status "installing ZoneMTA"
-	stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zone-mta-template.git zone-mta"
-	stage_exec bash -c "cd /data/zone-mta && npm install eslint --save-dev"
-	stage_exec bash -c "cd /data/zone-mta && npm init"
-	stage_exec bash -c "cd /data/zone-mta && npm install --production"
-	stage_exec bash -c "cd /data/zone-mta && npm install zonemta-wildduck --save"
+	if [ ! -e "$STAGE_MNT/data/zone-mta" ]; then
+		stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zone-mta-template.git zone-mta"
+		stage_exec bash -c "cd /data/zone-mta && npm install eslint --save-dev"
+		stage_exec bash -c "cd /data/zone-mta && npm init"
+		stage_exec bash -c "cd /data/zone-mta && npm install --production"
+		stage_exec bash -c "cd /data/zone-mta && npm install zonemta-wildduck --save"
+	else
+		stage_exec bash -c "cd /data/zone-mta && git pull && npm install --production"
+	fi
 
 	sed -i '' \
 		-e "/^mongo/ s/127.0.0.1/$(get_jail_ip mongodb)/" \
@@ -53,7 +61,7 @@ configure_zonemta()
 	stage_exec npm install -g pm2
 	stage_exec pm2 startup
 	stage_sysrc pm2_toor_enable=YES
-	service pm2_toor start
+	stage_exec service pm2_toor start
 
 	tell_status "TODO: configure zonemta-wildduck"
 	echo "https://github.com/nodemailer/zonemta-wildduck"