aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/FORT-validator/files')
-rw-r--r--net-misc/FORT-validator/files/fort-confd15
-rw-r--r--net-misc/FORT-validator/files/fort-config.json10
-rw-r--r--net-misc/FORT-validator/files/fort-initd26
-rw-r--r--net-misc/FORT-validator/files/fort.service35
4 files changed, 86 insertions, 0 deletions
diff --git a/net-misc/FORT-validator/files/fort-confd b/net-misc/FORT-validator/files/fort-confd
new file mode 100644
index 00000000..92936757
--- /dev/null
+++ b/net-misc/FORT-validator/files/fort-confd
@@ -0,0 +1,15 @@
+# /etc/init.d/fort
+
+# Options to pass to the fort process
+# See man fort for options
+
+# If you want to use commands arguments instead of the configuration file and
+# not the default TAL directory, please remove the comment for FORT_BASEDIR as
+# well
+
+#FORT_BASEDIR="/var/lib/fort/"
+#FORT_OPTS="--tal /usr/share/fort/tal/ \
+# --local-repository ${FORT_BASEDIR}
+# --log.output syslog
+# --server.address ::"
+FORT_OPTS="--configuration-file /etc/fort/config.json"
diff --git a/net-misc/FORT-validator/files/fort-config.json b/net-misc/FORT-validator/files/fort-config.json
new file mode 100644
index 00000000..b3d5fecd
--- /dev/null
+++ b/net-misc/FORT-validator/files/fort-config.json
@@ -0,0 +1,10 @@
+{
+ "tal": "/usr/share/fort/tal/",
+ "local-repository": "/var/cache/fort/repository/",
+ "server": {
+ "address": "::"
+ },
+ "log": {
+ "output": "syslog"
+ }
+}
diff --git a/net-misc/FORT-validator/files/fort-initd b/net-misc/FORT-validator/files/fort-initd
new file mode 100644
index 00000000..25e6b309
--- /dev/null
+++ b/net-misc/FORT-validator/files/fort-initd
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="fort validator daemon"
+description="FORT validator is an open source RPKI validator."
+command=/usr/bin/fort
+command_args="${FORT_OPTS}"
+command_user="fort"
+pidfile="/run/${RC_SVCNAME}.pid"
+command_background=true
+
+depend() {
+ need net
+}
+
+start_pre() {
+ if [ -z "${FORT_BASEDIR}" ]; then
+ FORT_BASEDIR=$(awk -F '"' '/local-repository/ { print $4 }' \
+ /etc/fort/config.json)
+ FORT_BASEDIR="${FORT_BASEDIR:-/var/cache/fort/repository/}"
+ fi
+
+ checkpath -d -m 0755 -o fort:fort "$(dirname "${FORT_BASEDIR}")"
+ checkpath -d -m 0755 -o fort:fort "${FORT_BASEDIR}"
+}
diff --git a/net-misc/FORT-validator/files/fort.service b/net-misc/FORT-validator/files/fort.service
new file mode 100644
index 00000000..4f24f8d1
--- /dev/null
+++ b/net-misc/FORT-validator/files/fort.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=FORT RPKI validator
+Documentation=man:fort(8)
+Documentation=https://nicmx.github.io/FORT-validator/
+
+[Service]
+ExecStart=/usr/bin/fort --configuration-file /etc/fort/config.json
+Type=simple
+User=fort
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+CacheDirectory=fort
+ReadWritePaths=/var/lib/fort/
+ConfigurationDirectory=fort
+ConfigurationDirectory=tals
+StateDirectory=fort
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target