initial commit

remote/authorized_keys

@@ -0,0 +1 @@
+command="/usr/local/bin/ssl-update.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORHtLf6y6rF7EQ9UdPhILDUOLybxffwjyHzxsmOk735 autofirewall

remote/ssl-update.sh

@@ -0,0 +1,55 @@
+#!/bin/ksh
+# install to /usr/local/bin on firewall
+# OpenBSD pdksh
+
+hostname_file='/etc/myname'
+
+if [ "$(id -u)" -ne 0 ]; then
+  printf 'Must be run as root.\n' >&2
+  exit 1
+fi
+if [ ! -f "$hostname_file" ]; then
+  printf 'No hostname file. Is this the right server?\n' >&2
+  exit 1
+fi
+if [ "$(<"$hostname_file")" != 'danknasty' ]; then
+  printf 'Only designed to be run on danknasty.\n' >&2
+  exit 1
+fi
+
+fw_config="/etc/pf_${ssl_service}.conf"
+
+if [ ! -f "$fw_config" ]; then
+  printf 'No firewall config found for %s at %s.\n' "$ssl_service" "$fw_config" >&2
+  exit 1
+fi
+
+printf 'Setting "%s" for "%s".\n' "$state" "$ssl_service"
+printf 'Firewall config: "%s"\n' "$fw_config"
+
+if [ "$state" == 'HTTP_UP' ]; then
+  printf 'Removing comment\n'
+  sed -i 's/^# pass/pass/' "$fw_config"
+  if [ $? != 0 ]; then
+    printf 'Failed to configure %s http port up.\n' "$ssl_service" >&2
+    exit 1
+  fi
+elif [ "$state" == 'HTTP_DOWN' ]; then
+  printf 'Adding comment\n'
+  sed -i 's/^pass/# pass/' "$fw_config"
+  if [ $? != 0 ]; then
+    printf 'Failed to configure %s http port down.\n' "$ssl_service" >&2
+    exit 1
+  fi
+else
+  printf 'Invalid state: %s.\n' "$state" >&2
+  exit 1
+fi
+
+/usr/local/bin/pfhup
+if [ $? != 0 ]; then
+  printf 'Failed to restart firewall. Check config immediately.\n' >&2
+  exit 1
+fi
+
+printf 'success\n'