blob: eb72069392a873e9d63dd9aee3fe3c93f297bd64 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#!/bin/sh
# PROVIDE: crowdsec
# BEFORE: crowdsec_firewall
# REQUIRE: LOGIN DAEMON NETWORKING
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# crowdsec_enable (bool): Set it to YES to enable crowdsec agent.
# Default is "NO".
# crowdsec_config (str): Set the agent config path.
# Default is "%%PREFIX%%/etc/crowdsec/config.yaml".
# crowdsec_machine_name (str): Name for the crowdsec instance when it's running its own lapi.
# Default is "localhost".
# crowdsec_flags (str): Set the extra flags to run the agent.
# Default is ""
. /etc/rc.subr
name=crowdsec
desc="Crowdsec Agent"
rcvar=crowdsec_enable
load_rc_config "$name"
: "${crowdsec_enable:=NO}"
: "${crowdsec_config:=%%PREFIX%%/etc/crowdsec/config.yaml}"
: "${crowdsec_machine_name:=localhost}"
: "${crowdsec_flags:=}"
pidfile=/var/run/${name}.pid
required_files="$crowdsec_config"
command="%%PREFIX%%/bin/${name}"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
start_precmd="${name}_precmd"
configtest_cmd="${name}_configtest"
extra_commands="configtest reload"
crowdsec_precmd() {
cs_cli() {
"%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"
}
Config() {
cs_cli config show --key "Config.$1"
}
HUB_DIR=$(Config ConfigPaths.HubDir)
if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
echo "Fetching hub inventory"
cs_cli hub update || :
fi
CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
# Is the LAPI enabled on this node?
if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then
# There are no machines, we create the main one
if [ "$(cs_cli machines list -o json)" = "[]" ]; then
echo "Registering LAPI"
cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
fi
# Register to the central server to receive the community blocklist and more
if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
echo "Registering CAPI"
cs_cli capi register || :
fi
fi
# This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
# cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \
# cs_cli collections install crowdsecurity/freebsd || :
# So we just check for the file
if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
cs_cli collections install crowdsecurity/freebsd || :
fi
}
crowdsec_stop()
{
if [ ! -f "$pidfile" ]; then
echo "${name} is not running."
return
fi
pid=$(cat "$pidfile")
if kill -0 "$pid" >/dev/null 2>&1; then
echo "Stopping ${name}."
kill -s TERM "$pid" >/dev/null 2>&1
# shellcheck disable=SC2034
for i in $(seq 1 20); do
sleep 1
if ! kill -0 "$pid" >/dev/null 2>&1; then
rm -f "$pidfile"
return
fi
done
echo "Timeout, terminating ${name} with SIGKILL."
kill -s KILL "$pid" >/dev/null 2>&1
rm -f "$pidfile"
else
echo "${name} is not running."
fi
}
crowdsec_start()
{
/usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
"$command" -c "$crowdsec_config" ${crowdsec_flags}
}
crowdsec_configtest()
{
echo "Performing sanity check on ${name} configuration."
if "$command" -c "$crowdsec_config" -t -error; then
echo "Configuration test OK"
fi
}
run_rc_command "$1"
|