diff options
| -rw-r--r-- | rpkid/Makefile.in | 23 | ||||
| -rw-r--r-- | rpkid/examples/rpki.conf | 366 | ||||
| -rw-r--r-- | rpkid/rpki-confgen.py | 9 | ||||
| -rw-r--r-- | rpkid/rpki-confgen.xml | 48 |
4 files changed, 67 insertions, 379 deletions
diff --git a/rpkid/Makefile.in b/rpkid/Makefile.in index 763c8ba8..aa47ab72 100644 --- a/rpkid/Makefile.in +++ b/rpkid/Makefile.in @@ -199,19 +199,28 @@ distclean:: clean docclean all install clean test distclean deinstall uninstall:: @for i in ${SUBDIRS}; do echo "Making $@ in $$i"; (cd $$i && ${MAKE} $@); done -all:: rpki.conf.sample +all:: examples/rpki.conf -rpki.conf.sample: - sed -e 's=@HANDLE@='`hostname | sed 's=[.]=_=g'`'=' \ - -e 's=@DATAROOTDIR@=${datarootdir}=' \ - examples/rpki.conf >$@ +# Source: http://blog.leosoto.com/2008/04/django-secretkey-generation.html + +GENERATE_DJANGO_SECRET_KEY = ${PYTHON} -c 'import random, string; print "".join(random.choice(string.uppercase + string.lowercase + string.digits) for _ in xrange(50))' + +examples/rpki.conf: rpki/autoconf.py rpki-confgen.py rpki-confgen.xml + ${PYTHON} rpki-confgen.py \ + --read-xml rpki-confgen.xml \ + --autoconf \ + --set myrpki::handle=`hostname -f | sed 's/[.]/_/g'` \ + --set myrpki::rpkid_server_host=`hostname -f` \ + --set myrpki::pubd_server_host=`hostname -f` \ + --set web_portal::django-secret-key=`${GENERATE_DJANGO_SECRET_KEY}` \ + --write-conf $@ install:: - ${INSTALL} rpki.conf.sample ${DESTDIR}${sysconfdir}/rpki.conf.sample + ${INSTALL} examples/rpki.conf ${DESTDIR}${sysconfdir}/rpki.conf.sample ${INSTALL} -d ${DESTDIR}${datarootdir}/rpki/publication clean:: - rm -f rpki.conf.sample + rm -f examples/rpki.conf # Scripts diff --git a/rpkid/examples/rpki.conf b/rpkid/examples/rpki.conf deleted file mode 100644 index 04e22369..00000000 --- a/rpkid/examples/rpki.conf +++ /dev/null @@ -1,366 +0,0 @@ -################################################################ -# -# $Id$ -# -# Config file for myrpki.py and RPKI daemons. -# -# NB: This config file is read both by Python code and also by the -# OpenSSL command line tool (running under mypki), so syntax must -# remain compatable with both parsers, and there's a big chunk of -# OpenSSL voodoo towards the end of this file. -# -################################################################ - -[myrpki] - -# Handle naming hosted resource-holding entity (<self/>) represented -# by this myrpki instance. Syntax is an identifier (ASCII letters, -# digits, hyphen, underscore -- no whitespace, non-ASCII characters, -# or other punctuation). You need to set this. - -handle = @HANDLE@ - -# Directory for BPKI files generated by rpkic and used by rpkid and pubd. -# Default is where we expect autoconf to decide that our data files -# belong, you might want or need to change this. In the long term -# this should be handled by a setup wizard. - -bpki_servers_directory = @DATAROOTDIR@/rpki - -# Whether you want to run your own copy of rpkid (and irdbd). You -# want this on unless somebody else is hosting rpkid service for you. - -run_rpkid = true - -# DNS hostname and server port numbers for rpkid and irdbd, if you're -# running them. rpkid's server host has to be a publicly reachable -# name to be useful; irdbd's server host should always be localhost -# unless you really know what you are doing. Port numbers can be any -# legal TCP port number that you're not using for something else. - -rpkid_server_host = rpkid.example.org -rpkid_server_port = 4404 -irdbd_server_host = localhost -irdbd_server_port = 4403 - -# Whether you want to run your own copy of pubd. In general, it's -# best to use your parent's pubd if you can, to reduce the overall -# number of publication sites that relying parties need to check, so -# don't enable this unless you have a good reason. - -run_pubd = false - -# DNS hostname and server port number for pubd, if you're running it. -# Hostname has to be a publicly reachable name to be useful, port can -# be any legal TCP port number that you're not using for something -# else. - -pubd_server_host = pubd.example.org -pubd_server_port = 4402 - -# Contact information to include in offers of repository service. -# This only matters when we're running pubd. This should be a human -# readable string, perhaps containing an email address or URL. - -pubd_contact_info = repo-man@rpki.example.org - -# Whether you want to run your very own copy of rootd. Don't enable -# this unless you really know what you're doing. - -run_rootd = false - -# Server port number for rootd, if you're running it. This can be any -# legal TCP port number that you're not using for something else. - -rootd_server_host = localhost -rootd_server_port = 4401 - -# Root of local directory tree where pubd (and rootd, sigh) should -# write out published data. You need to configure this, and the -# configuration should match up with the directory where you point -# rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to -# put this stuff, the important thing is that the rsync:// URIs in -# generated certificates match up with the published objects so that -# relying parties can find and verify rpkid's published outputs. - -publication_base_directory = @DATAROOTDIR@/rpki/publication -publication_root_cert_directory = ${myrpki::publication_base_directory}.root - -# rsyncd module name corresponding to publication_base_directory. -# This has to match the module you configured into rsyncd.conf. -# Leave this alone unless you have some need to change it. - -publication_rsync_module = rpki - -# rsyncd module name corresponding to publication_root_cert_directory. -# This has to match the module you configured into rsyncd.conf. -# Leave this alone unless you have some need to change it. - -publication_root_module = root - -# Hostname and optional port number for rsync:// URIs. In most cases -# this should just be the same value as pubd_server_host. - -publication_rsync_server = ${myrpki::pubd_server_host} - -# Startup control. These all default to the values of the -# corresponding run_* options, to keep things simple. The only case -# where you would want to change these is when you are running the -# back-end code on a different machine from one or more of the -# daemons, in which case you need finer control over which daemons to -# start on which machines. In such cases, "run_*" controls whether -# the back-end code is doing things to manage the daemon in question, -# while "start_*" controls whether rpki-start-servers attempts to -# start the daemon in question. - -start_rpkid = ${myrpki::run_rpkid} -start_irdbd = ${myrpki::run_rpkid} -start_pubd = ${myrpki::run_pubd} -start_rootd = ${myrpki::run_rootd} - -# SQL configuration. You can ignore this if you're not running any of -# the daemons yourself. - -# If you're comfortable with having all of the databases use the same -# MySQL username and password, set those values here. It's ok to -# leave the default username alone, but you should use a locally -# generated password either here or in the individual settings below. - -shared_sql_username = rpki -shared_sql_password = fnord - -# If you want different usernames and passwords for the separate SQL -# databases, enter those settings here; the shared_sql_* settings are -# only referenced here, so you can remove them entirely if you're -# setting everything in this block. - -rpkid_sql_database = rpkid -rpkid_sql_username = ${myrpki::shared_sql_username} -rpkid_sql_password = ${myrpki::shared_sql_password} - -irdbd_sql_database = irdbd -irdbd_sql_username = ${myrpki::shared_sql_username} -irdbd_sql_password = ${myrpki::shared_sql_password} - -pubd_sql_database = pubd -pubd_sql_username = ${myrpki::shared_sql_username} -pubd_sql_password = ${myrpki::shared_sql_password} - -# End of [myrpki] section - -################################################################# -# -# In theory it should not be necessary to modify anything below this -# point, at least not if you're within the boundaries of the -# simplified configuration that the myrpki tool is intended to -# support. If you do have to modify anything below this point, please -# report it. -# -################################################################# - -[rpkid] - -# MySQL database name, user name, and password for rpkid to use to -# store its data. - -sql-database = ${myrpki::rpkid_sql_database} -sql-username = ${myrpki::rpkid_sql_username} -sql-password = ${myrpki::rpkid_sql_password} - -# Host and port on which rpkid should listen for HTTP service -# requests. - -server-host = ${myrpki::rpkid_server_host} -server-port = ${myrpki::rpkid_server_port} - -# HTTP service URL rpkid should use to contact irdbd. If irdbd is -# running on the same machine as rpkid, this can and probably should -# be a loopback URL, since nobody but rpkid needs to talk to irdbd. - -irdb-url = http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/ - -# Where rpkid should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rpkid-key = ${myrpki::bpki_servers_directory}/rpkid.key -rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer -irdb-cert = ${myrpki::bpki_servers_directory}/irdbd.cer -irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer - -################################################################# - -[irdbd] - -# MySQL database name, user name, and password for irdbd to use to -# store its data. - -sql-database = ${myrpki::irdbd_sql_database} -sql-username = ${myrpki::irdbd_sql_username} -sql-password = ${myrpki::irdbd_sql_password} - -# Host and port on which irdbd should listen for HTTP service -# requests. - -server-host = ${myrpki::irdbd_server_host} -server-port = ${myrpki::irdbd_server_port} - -# Where irdbd should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer -irdbd-cert = ${myrpki::bpki_servers_directory}/irdbd.cer -irdbd-key = ${myrpki::bpki_servers_directory}/irdbd.key - -################################################################# - -[pubd] - -# MySQL database name, user name, and password for pubd to use to -# store (some of) its data. - -sql-database = ${myrpki::pubd_sql_database} -sql-username = ${myrpki::pubd_sql_username} -sql-password = ${myrpki::pubd_sql_password} - -# Root of directory tree where pubd should write out published data. -# You need to configure this, and the configuration should match up -# with the directory where you point rsyncd. Neither pubd nor rsyncd -# much cares -where- you tell them to put this stuff, the important -# thing is that the rsync:// URIs in generated certificates match up -# with the published objects so that relying parties can find and -# verify rpkid's published outputs. - -publication-base = ${myrpki::publication_base_directory} - -# Host and port on which pubd should listen for HTTP service -# requests. - -server-host = ${myrpki::pubd_server_host} -server-port = ${myrpki::pubd_server_port} - -# Where pubd should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer -pubd-key = ${myrpki::bpki_servers_directory}/pubd.key -irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer - -################################################################# - -[rootd] - -# You don't need to run rootd unless you're IANA, are certifying -# private address space, or are an RIR which refuses to accept IANA as -# the root of the public address hierarchy. -# -# Ok, if that wasn't enough to scare you off: rootd is a kludge, and -# needs to be rewritten, or, better, merged into rpkid. It does a -# number of things wrong, and requires far too many configuration -# parameters. You have been warned.... - -# BPKI certificates and keys for rootd - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl -rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer -rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key -child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer - -# Server host and port on which rootd should listen. - -server-host = ${myrpki::rootd_server_host} -server-port = ${myrpki::rootd_server_port} - -# Where rootd should write its output. Yes, rootd should be using -# pubd instead of publishing directly, but it doesn't. - -rpki-root-dir = ${myrpki::publication_base_directory} - -# rsync URI for directory containing rootd's outputs - -rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ - -# rsync URI for rootd's root (self-signed) RPKI certificate - -rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer - -# Private key corresponding to rootd's root RPKI certificate - -rpki-root-key = ${myrpki::bpki_servers_directory}/root.key - -# Filename (as opposed to rsync URI) of rootd's root RPKI certificate - -rpki-root-cert = ${myrpki::publication_root_cert_directory}/root.cer - -# Where rootd should stash a copy of the PKCS #10 request it gets from -# its one (and only) child - -rpki-subject-pkcs10 = ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10 - -# Lifetime of the one and only certificate rootd issues - -rpki-subject-lifetime = 30d - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL -# for rootd's root RPKI certificate - -rpki-root-crl = root.crl - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the -# manifest for rootd's root RPKI certificate - -rpki-root-manifest = root.mft - -# Up-down protocol class name for RPKI certificate rootd issues to its -# one (and only) child - -rpki-class-name = ${myrpki::handle} - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the one -# (and only) RPKI certificate rootd issues - -rpki-subject-cert = ${myrpki::handle}.cer - -# The last four paramters in this section are really parameters for -# myirbe.py to use when constructing rootd's root RPKI certificate, -# via an indirection hack in the OpenSSL voodoo portion of this file. -# Don't ask why some of these are duplicated from other paramters in -# this section, you don't want to know (really, you don't). - -# ASNs to include in rootd's root RPKI certificate, in openssl.conf format - -root_cert_asns = AS:0-4294967295 - -# IP addresses to include in rootd's root RPKI certificate, in -# openssl.conf format - -root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0 - -# Whatever you put in rpki-base-uri, earlier in this section - -root_cert_sia = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ - -# root_cert_sia + rpki-root-manifest - -root_cert_manifest = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mft - -################################################################# - -# Glue to allow the django application to pull user configuration -# from this file rather than directly editing settings.py - -[web_portal] -sql-database = ${myrpki::irdbd_sql_database} -sql-username = ${myrpki::irdbd_sql_username} -sql-password = ${myrpki::irdbd_sql_password} - -################################################################# - -#[rpkic] -#autosync = false diff --git a/rpkid/rpki-confgen.py b/rpkid/rpki-confgen.py index 37987d5a..a2d4fbd1 100644 --- a/rpkid/rpki-confgen.py +++ b/rpkid/rpki-confgen.py @@ -78,7 +78,7 @@ class Section(object): THIS PAGE WAS GENERATED AUTOMATICALLY, DO NOT EDIT. Generated from ''' + ident + ''' -by $Id$ +by $Id$ }}} = ![''' + self.name + '''] section = @@ -141,7 +141,7 @@ for o, a in opts: elif o == "--autoconf": try: import rpki.autoconf - for option in section_map["autoconf"]: + for option in section_map["autoconf"].options: try: option.value = getattr(rpki.autoconf, option.name) except AttributeError: @@ -166,9 +166,10 @@ for o, a in opts: elif o == "--write-conf": with open(a, "w") as f: f.write('''\ -# Automatically generated. Edit if you like, but be careful of overwriting. +# Automatically generated. Edit as needed, but be careful of overwriting. +# # Generated from ''' + ident + ''' -# by $Id$ +# by $Id$ ''') width = max(s.width for s in sections) for section in sections: diff --git a/rpkid/rpki-confgen.xml b/rpkid/rpki-confgen.xml index b5eda66c..135b94e2 100644 --- a/rpkid/rpki-confgen.xml +++ b/rpkid/rpki-confgen.xml @@ -15,7 +15,7 @@ </option> <option name = "bpki_servers_directory" - value = "@DATAROOTDIR@/rpki"> + value = "${autoconf::datarootdir}/rpki"> <doc> Directory for BPKI files generated by rpkic and used by rpkid and pubd. Default is where we expect autoconf to decide that our data files @@ -123,7 +123,7 @@ </option> <option name = "publication_base_directory" - value = "@DATAROOTDIR@/rpki/publication"> + value = "${autoconf::datarootdir}/rpki/publication"> <doc> Root of local directory tree where pubd should write out published data. You need to configure this, and the configuration should @@ -718,6 +718,50 @@ </doc> </option> + <option name = "django-secret-key" + value = ""> + <doc> + Site-specific secret key for Django. + </doc> + </option> + + </section> + + <section name = "autoconf"> + <doc> + rpki-confgen --autoconf records the current autoconf settings + here, so that other options can refer to them. The section name + "autoconf" is magic, don't change it. + </doc> + + <option name = "bindir" + value = "${bindir}"> + <doc> + Usually /usr/bin or /usr/local/bin. + </doc> + </option> + + <option name = "datarootdir" + value = "${datarootdir}"> + <doc> + Usually /usr/share or /usr/local/share. + </doc> + </option> + + <option name = "sbindir" + value = "${sbindir}"> + <doc> + Usually /usr/sbin or /usr/local/sbin. + </doc> + </option> + + <option name = "sysconfdir" + value = "${sysconfdir}"> + <doc> + Usually /etc or /usr/local/etc. + </doc> + </option> + </section> </configuration> |