From 129913e55ff3ccd48d7fa68e24b11f2370f63f70 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Tue, 25 Jan 2011 05:19:14 +0000
Subject: Minimally-tested rcynic installation for Mac OS X

svn path=/rcynic/Makefile.in; revision=3660
---
 rcynic/Makefile.in                                 |   6 +-
 rcynic/installation-scripts/darwin/RCynic/RCynic   |  73 ++++++++
 .../darwin/RCynic/StartupParameters.plist          |  19 ++
 rcynic/installation-scripts/darwin/install.sh      | 193 +++++++++++++++++++++
 rcynic/installation-scripts/deinstall.sh           |   5 +
 rcynic/installation-scripts/freebsd/install.sh     | 151 ++++++++++++++++
 rcynic/installation-scripts/freebsd/rc.d.rcynic    |  71 ++++++++
 rcynic/installation-scripts/install.sh             |  16 ++
 rcynic/installation-scripts/sample-rcynic.conf     |  27 +++
 rcynic/scripts/freebsd/install.sh                  | 151 ----------------
 rcynic/scripts/freebsd/rc.d.rcynic                 |  71 --------
 rcynic/scripts/install.sh                          |  19 --
 rcynic/scripts/sample-rcynic.conf                  |  27 ---
 13 files changed, 558 insertions(+), 271 deletions(-)
 create mode 100755 rcynic/installation-scripts/darwin/RCynic/RCynic
 create mode 100644 rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist
 create mode 100644 rcynic/installation-scripts/darwin/install.sh
 create mode 100644 rcynic/installation-scripts/deinstall.sh
 create mode 100644 rcynic/installation-scripts/freebsd/install.sh
 create mode 100755 rcynic/installation-scripts/freebsd/rc.d.rcynic
 create mode 100644 rcynic/installation-scripts/install.sh
 create mode 100644 rcynic/installation-scripts/sample-rcynic.conf
 delete mode 100644 rcynic/scripts/freebsd/install.sh
 delete mode 100755 rcynic/scripts/freebsd/rc.d.rcynic
 delete mode 100644 rcynic/scripts/install.sh
 delete mode 100644 rcynic/scripts/sample-rcynic.conf

diff --git a/rcynic/Makefile.in b/rcynic/Makefile.in
index 8689f12d..55d0230c 100644
--- a/rcynic/Makefile.in
+++ b/rcynic/Makefile.in
@@ -26,11 +26,11 @@ ${BIN}: ${SRC}
 test: ${BIN}
 	if test -r rcynic.conf; then ./${BIN} -j 0 && echo && ./show.sh; else echo No rcynic.conf, skipping test; fi
 
-install: ${BIN} scripts/install.sh
-	cd scripts; . ./install.sh ${host_os}
+install: ${BIN} installation-scripts/install.sh
+	cd installation-scripts; . ./install.sh ${host_os}
 
 uninstall deinstall:
-	@echo Sorry, automated deinstallation of rcynic not implemented yet
+	cd installation-scripts; . ./deinstall.sh ${host_os}
 
 doc::
 	doxygen
diff --git a/rcynic/installation-scripts/darwin/RCynic/RCynic b/rcynic/installation-scripts/darwin/RCynic/RCynic
new file mode 100755
index 00000000..8d77e549
--- /dev/null
+++ b/rcynic/installation-scripts/darwin/RCynic/RCynic
@@ -0,0 +1,73 @@
+#!/bin/sh -
+#
+# $Id$
+#
+. /etc/rc.common
+
+name="rcynic"
+start_cmd="rcynic_start"
+stop_cmd="rcynic_stop"
+
+: ${rcynic_jaildir="/var/rcynic"}
+: ${rcynic_user="rcynic"}
+: ${rcynic_group="rcynic"}
+
+StartService()
+{
+	/bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}"
+	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+
+	/usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF
+
+		/set type=dir uname=root gname=wheel mode=0555
+		.
+			bin
+			..
+			dev
+			..
+			etc
+				trust-anchors
+				..
+			..
+			usr
+				lib
+					system
+					..
+				..
+			..
+			var
+				run
+				..
+			..
+			data	uname=${rcynic_user} gname=${rcynic_group} mode=0755
+			..
+		..
+EOF
+
+	/bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
+	/usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
+
+	if ! /sbin/mount_devfs devfs "${rcynic_jaildir}/dev"; then
+		echo "Mounting devfs on ${rcynic_jaildir}/dev failed..."
+		exit 1
+	fi
+
+	for i in /etc/localtime /etc/resolv.conf; do
+		j="${rcynic_jaildir}${i}"
+		if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
+			/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
+		fi
+	done
+}
+
+StopService()
+{
+	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+}
+
+RestartService()
+{
+	StartService
+}
+
+RunService "$1"
diff --git a/rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist b/rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist
new file mode 100644
index 00000000..ca46b676
--- /dev/null
+++ b/rcynic/installation-scripts/darwin/RCynic/StartupParameters.plist
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Description</key>
+	<string>RCynic Setup</string>
+	<key>OrderPreference</key>
+	<string>None</string>
+	<key>Provides</key>
+	<array>
+		<string>RCynic</string>
+	</array>
+	<key>Uses</key>
+	<array>
+		<string>Network</string>
+		<string>Resolver</string>
+	</array>
+	</dict>
+</plist>
diff --git a/rcynic/installation-scripts/darwin/install.sh b/rcynic/installation-scripts/darwin/install.sh
new file mode 100644
index 00000000..dd0d3af2
--- /dev/null
+++ b/rcynic/installation-scripts/darwin/install.sh
@@ -0,0 +1,193 @@
+#!/bin/sh -
+# $Id$
+#
+# Create a chroot jail for rcynic.
+#
+# This is approximately what a pkg-install script might do if this were
+# a FreeBSD port.  Perhaps some day it will be.
+
+: ${jaildir="/var/rcynic"}
+: ${jailuser="rcynic"}
+: ${jailgroup="rcynic"}
+: ${jailname="RPKI Validation System"}
+: ${setupcron="YES"}
+
+echo "Setting up \"${jaildir}\" as a chroot jail for rcynic."
+
+if /usr/bin/dscl . -read "/Groups/${jailgroup}" >/dev/null 2>&1
+then
+    echo "You already have a group \"${jailgroup}\", so I will use it."
+elif gid="$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $2 >= gid {gid = 1 + $2} END {print gid}')" &&
+    /usr/bin/dscl . -create "/Groups/${jailgroup}" &&
+    /usr/bin/dscl . -create "/Groups/${jailgroup}" RealName "${jailname}" &&
+    /usr/bin/dscl . -create "/Groups/${jailgroup}" PrimaryGroupID "$gid" &&
+    /usr/bin/dscl . -create "/Groups/${jailgroup}" GeneratedUID "$(/usr/bin/uuidgen)" &&
+    /usr/bin/dscl . -create "/Groups/${jailgroup}" Password "*"
+then
+    echo "Added group \"${jailgroup}\"."
+else
+    echo "Adding group \"${jailgroup}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if /usr/bin/dscl . -read "/Users/${jailuser}" >/dev/null 2>&1
+then
+    echo "You already have a user \"${jailuser}\", so I will use it."
+elif uid="$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $2 >= uid {uid = 1 + $2} END {print uid}')" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" UserShell "/usr/bin/false" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" RealName "${jailname}" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" UniqueID "$uid" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" PrimaryGroupID "$gid" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" NFSHomeDirectory "/var/empty" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" GeneratedUID "$(/usr/bin/uuidgen)" &&
+    /usr/bin/dscl . -create "/Users/${jailuser}" Password "*"
+then
+    echo "Added user \"${jailuser}\"."
+else
+    echo "Adding user \"${jailuser}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if ! /bin/test -d "${jaildir}"; then
+    /bin/mkdir "${jaildir}"
+fi
+
+if /usr/bin/install -o root -g wheel -d /Library/StartupItems/RCynic &&
+   /usr/bin/install -o root -g wheel -m 555 RCynic/RCynic RCynic/StartupParameters.plist /Library/StartupItems/RCynic; then
+    echo "Installed /Library/StartupItems/RCynic"
+else
+    echo "Installing /Library/StartupItems/RCynic failed"
+    exit 1
+fi
+
+echo "Running /Library/StartupItems/RCynic/RCynic to set up directories"
+
+if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup"  /Library/StartupItems/RCynic/RCynic start; then
+    echo "Directory setup failed"
+    exit 1
+fi
+
+if /bin/test -r "$jaildir/etc/rcynic.conf"; then
+    echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
+elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then
+    echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors"
+    for i in ../../sample-trust-anchors/*.tal; do
+	j="$jaildir/etc/trust-anchors/${i##*/}"
+	/bin/test -r "$i" || continue
+	/bin/test -r "$j" && continue
+	echo "Installing $i as $j"
+	/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
+    done
+    j=1
+    for i in $jaildir/etc/trust-anchors/*.tal; do
+	echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j	= /etc/trust-anchors/${i##*/}"
+	j=$((j+1))
+    done
+else
+    echo "Installing minimal ${jaildir}/etc/rcynic.conf failed"
+    exit 1
+fi
+
+echo "Installing rcynic as ${jaildir}/bin/rcynic"
+
+/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic"
+
+if /bin/test -x "$jaildir/bin/rsync"; then
+    echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it"
+elif /usr/bin/install -m 555 -o root -g wheel -p /usr/bin/rsync "${jaildir}/bin/rsync"; then
+    echo "Installed ${jaildir}/bin/rsync"
+else
+    echo "Installing ${jaildir}/bin/rsync failed"
+    exit 1
+fi
+
+echo "Copying required shared libraries" 
+
+shared_libraries="${jaildir}/bin/rcynic ${jaildir}/bin/rsync"
+while true
+do
+    closure="$(/usr/bin/otool -L ${shared_libraries} | /usr/bin/awk '/:$/ {next} {print $1}' | /usr/bin/sort -u)"
+    if test "x$shared_libraries" = "x$closure"
+    then
+	break
+    else
+	shared_libraries="$closure"
+    fi
+done
+
+for shared in /usr/lib/dyld $shared_libraries
+do
+    if /bin/test -r "${jaildir}/${shared}"
+    then
+	echo "You already have a \"${jaildir}/${shared}\", so I will use it"
+    elif /usr/bin/install -m 555 -o root -g wheel -p "${shared}" "${jaildir}/${shared}"
+    then
+	echo "Copied ${shared} into ${jaildir}"
+    else
+        echo "Unable to copy ${shared} into ${jaildir}"
+	exit 1
+    fi
+done
+
+if /usr/bin/install -m 444 -o root -g wheel -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then
+    echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\""
+else
+    echo "Installing rcynic.xsl failed"
+    exit 1
+fi
+
+echo "Setting up root's crontab to run jailed rcynic"
+
+case "$setupcron" in
+YES|yes)
+    /usr/bin/crontab -l -u root 2>/dev/null |
+    /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" '
+	BEGIN {
+	    cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir;
+	    cmd = cmd " /bin/rcynic -c /etc/rcynic.conf";
+	}
+	$0 !~ cmd {
+	    print;
+	}
+	END {
+	    "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline;
+	    printf "%u * * * *\t%s\n", $1 % 60, cmd;
+	}' |
+    /usr/bin/crontab -u root -
+    /bin/cat <<EOF
+
+	crontab is set up to run rcynic hourly, at a randomly selected
+	minute (to spread load on the rsync servers).  Please do NOT
+	adjust this to run on the hour.  In particular please do NOT
+	adjust this to run at midnight UTC.
+EOF
+    ;;
+
+*)
+    /bin/cat <<EOF
+
+	You'll need to add a crontab entry running the following command as root:
+
+	    /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf
+
+	Please try to pick a random time for this, don't just run it on the hour,
+	or at local midnight, or, worst of all, at midnight UTC.
+
+EOF
+    ;;
+
+esac
+
+/bin/cat <<EOF
+
+	Jail set up. You may need to customize $jaildir/etc/rcynic.conf.
+	If you did not install your own trust anchors, a default set
+	of SAMPLE trust anchors may have been installed for you, but
+	you, the relying party, are the only one who can decide
+	whether you trust those anchors.  rcynic will not do anything
+	useful without good trust anchors.
+
+EOF
diff --git a/rcynic/installation-scripts/deinstall.sh b/rcynic/installation-scripts/deinstall.sh
new file mode 100644
index 00000000..113794a4
--- /dev/null
+++ b/rcynic/installation-scripts/deinstall.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -
+# $Id$
+
+echo Sorry, automated deinstallation of rcynic is not implemented yet
+exit 1
diff --git a/rcynic/installation-scripts/freebsd/install.sh b/rcynic/installation-scripts/freebsd/install.sh
new file mode 100644
index 00000000..884951ca
--- /dev/null
+++ b/rcynic/installation-scripts/freebsd/install.sh
@@ -0,0 +1,151 @@
+#!/bin/sh -
+# $Id$
+#
+# Create a chroot jail for rcynic.
+#
+# This is approximately what a pkg-install script might do if this were
+# a FreeBSD port.  Perhaps some day it will be.
+
+: ${jaildir="/var/rcynic"}
+: ${jailuser="rcynic"}
+: ${jailgroup="rcynic"}
+: ${setupcron="NO"}
+
+echo "Setting up \"${jaildir}\" as a chroot jail for rcynic."
+
+if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
+    echo "You already have a group \"${jailgroup}\", so I will use it."
+elif /usr/sbin/pw groupadd ${jailgroup}; then
+    echo "Added group \"${jailgroup}\"."
+else
+    echo "Adding group \"${jailgroup}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then
+    echo "You already have a user \"${jailuser}\", so I will use it."
+elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then
+    echo "Added user \"${jailuser}\"."
+else
+    echo "Adding user \"${jailuser}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if ! /bin/test -d "${jaildir}"; then
+    /bin/mkdir "${jaildir}"
+fi
+
+if /usr/bin/install -m 555 -o root -g wheel -p rc.d.rcynic /usr/local/etc/rc.d/rcynic; then
+    echo "Installed rc.d.rcynic as /usr/local/etc/rc.d/rcynic"
+else
+    echo "Installing /usr/local/etc/rc.d/rcynic failed"
+    exit 1
+fi
+
+echo "Running /usr/local/etc/rc.d/rcynic to set up directories"
+
+if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then
+    echo "Directory setup failed"
+    exit 1
+fi
+
+if /bin/test -r "$jaildir/etc/rcynic.conf"; then
+    echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
+elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then
+    echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors"
+    for i in ../../sample-trust-anchors/*.tal; do
+	j="$jaildir/etc/trust-anchors/${i##*/}"
+	/bin/test -r "$i" || continue
+	/bin/test -r "$j" && continue
+	echo "Installing $i as $j"
+	/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
+    done
+    j=1
+    for i in $jaildir/etc/trust-anchors/*.tal; do
+	echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j	= /etc/trust-anchors/${i##*/}"
+	j=$((j+1))
+    done
+else
+    echo "Installing minimal ${jaildir}/etc/rcynic.conf failed"
+    exit 1
+fi
+
+echo "Installing rcynic as ${jaildir}/bin/rcynic"
+
+/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic"
+
+if /bin/test ! -x "$jaildir/bin/rsync" -a ! -x ../../static-rsync/rsync; then
+    echo "Building static rsync for jail, this may take a little while"
+    (cd ../../static-rsync && exec make)
+fi
+
+if /bin/test -x "$jaildir/bin/rsync"; then
+    echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it"
+elif /usr/bin/install -m 555 -o root -g wheel -p ../../static-rsync/rsync "${jaildir}/bin/rsync"; then
+    echo "Installed static rsync as \"${jaildir}/bin/rsync\""
+else
+    echo "Installing static rsync failed"
+    exit 1
+fi
+
+if /usr/bin/install -m 444 -o root -g wheel -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then
+    echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\""
+else
+    echo "Installing rcynic.xsl failed"
+    exit 1
+fi
+
+echo "Setting up root's crontab to run jailed rcynic"
+
+case "$setupcron" in
+YES|yes)
+    /usr/bin/crontab -l -u root 2>/dev/null |
+    /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" '
+	BEGIN {
+	    cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir;
+	    cmd = cmd " /bin/rcynic -c /etc/rcynic.conf";
+	}
+	$0 !~ cmd {
+	    print;
+	}
+	END {
+	    "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline;
+	    printf "%u * * * *\t%s\n", $1 % 60, cmd;
+	}' |
+    /usr/bin/crontab -u root -
+    /bin/cat <<EOF
+
+	crontab is set up to run rcynic hourly, at a randomly selected
+	minute (to spread load on the rsync servers).  Please do NOT
+	adjust this to run on the hour.  In particular please do NOT
+	adjust this to run at midnight UTC.
+EOF
+    ;;
+
+*)
+    /bin/cat <<EOF
+
+	You'll need to add a crontab entry running the following command as root:
+
+	    /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf
+
+	Please try to pick a random time for this, don't just run it on the hour,
+	or at local midnight, or, worst of all, at midnight UTC.
+
+EOF
+    ;;
+
+esac
+
+/bin/cat <<EOF
+
+	Jail set up. You may need to customize $jaildir/etc/rcynic.conf.
+	If you did not install your own trust anchors, a default set
+	of SAMPLE trust anchors may have been installed for you, but
+	you, the relying party, are the only one who can decide
+	whether you trust those anchors.  rcynic will not do anything
+	useful without good trust anchors.
+
+EOF
diff --git a/rcynic/installation-scripts/freebsd/rc.d.rcynic b/rcynic/installation-scripts/freebsd/rc.d.rcynic
new file mode 100755
index 00000000..b86c9b81
--- /dev/null
+++ b/rcynic/installation-scripts/freebsd/rc.d.rcynic
@@ -0,0 +1,71 @@
+#!/bin/sh -
+#
+# $Id$
+#
+# PROVIDE: rcynic
+# REQUIRE: DAEMON
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="rcynic"
+start_cmd="rcynic_start"
+stop_cmd="rcynic_stop"
+
+: ${rcynic_jaildir="/var/rcynic"}
+: ${rcynic_user="rcynic"}
+: ${rcynic_group="rcynic"}
+
+rcynic_start()
+{
+	/bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}"
+	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+
+	/usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF
+
+		/set type=dir uname=root gname=wheel mode=0555
+		.
+			bin
+			..
+			dev
+			..
+			etc
+				trust-anchors
+				..
+			..
+			var
+				run
+				..
+			..
+			data	uname=${rcynic_user} gname=${rcynic_group} mode=0755
+			..
+		..
+EOF
+
+	/bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
+	/usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
+
+	if ! /sbin/mount -t devfs dev "${rcynic_jaildir}/dev"; then
+		echo "Mounting devfs on ${rcynic_jaildir}/dev failed..."
+		exit 1
+	fi
+
+	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply hide
+	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path null unhide
+	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path random unhide
+
+	for i in /etc/localtime /etc/resolv.conf; do
+		j="${rcynic_jaildir}${i}"
+		if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
+			/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
+		fi
+	done
+}
+
+rcynic_stop()
+{
+	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/rcynic/installation-scripts/install.sh b/rcynic/installation-scripts/install.sh
new file mode 100644
index 00000000..e2c20406
--- /dev/null
+++ b/rcynic/installation-scripts/install.sh
@@ -0,0 +1,16 @@
+#!/bin/sh -
+# $Id$
+
+set -e
+
+case "$1" in
+
+freebsd*)	cd freebsd; . install.sh;;
+
+darwin*)	cd darwin;  . install.sh;;
+
+# linux*)	cd linux;   . install.sh;;
+
+*)	echo 1>&2 "Don't know how to install rcynic jail on platform $uname"
+	exit 1;;
+esac
diff --git a/rcynic/installation-scripts/sample-rcynic.conf b/rcynic/installation-scripts/sample-rcynic.conf
new file mode 100644
index 00000000..6e464e7e
--- /dev/null
+++ b/rcynic/installation-scripts/sample-rcynic.conf
@@ -0,0 +1,27 @@
+# $Id$
+#
+# Sample rcynic configuration file for FreeBSD jailed environment
+
+[rcynic]
+rsync-program		= /bin/rsync
+authenticated		= /data/authenticated
+old-authenticated	= /data/authenticated.old
+unauthenticated		= /data/unauthenticated
+lockfile		= /data/lock
+jitter			= 600
+use-syslog		= true
+log-level		= log_usage_err
+
+# You need to specify some trust anchors here, eg:
+
+#trust-anchor.1		= /etc/trust-anchors/ta-1.cer
+#trust-anchor.2		= /etc/trust-anchors/ta-2.cer
+
+# or, using the "Trust Anchor Locator" form:
+
+#trust-anchor-locator.1	= /etc/trust-anchors/ta-1.tal
+#trust-anchor-locator.2	= /etc/trust-anchors/ta-2.tal
+
+# The choice between these two formats depends largely on the policies
+# of the entity generating the corresponding trust anchor, ie, will
+# probably be made for you by the generating entity.
diff --git a/rcynic/scripts/freebsd/install.sh b/rcynic/scripts/freebsd/install.sh
deleted file mode 100644
index 2b3d1f4b..00000000
--- a/rcynic/scripts/freebsd/install.sh
+++ /dev/null
@@ -1,151 +0,0 @@
-#!/bin/sh -
-# $Id$
-#
-# Create a chroot jail for rcynic.
-#
-# This is approximately what a pkg-install script might do if this were
-# a FreeBSD port.  Perhaps some day it will be.
-
-: ${jaildir="/var/rcynic"}
-: ${jailuser="rcynic"}
-: ${jailgroup="rcynic"}
-: ${setupcron="NO"}
-
-echo "Setting up \"${jaildir}\" as a chroot jail for rcynic."
-
-if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
-    echo "You already have a group \"${jailgroup}\", so I will use it."
-elif /usr/sbin/pw groupadd ${jailgroup}; then
-    echo "Added group \"${jailgroup}\"."
-else
-    echo "Adding group \"${jailgroup}\" failed..."
-    echo "Please create it, then try again."
-    exit 1
-fi
-
-if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then
-    echo "You already have a user \"${jailuser}\", so I will use it."
-elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then
-    echo "Added user \"${jailuser}\"."
-else
-    echo "Adding user \"${jailuser}\" failed..."
-    echo "Please create it, then try again."
-    exit 1
-fi
-
-if ! /bin/test -d "${jaildir}"; then
-    /bin/mkdir "${jaildir}"
-fi
-
-if /usr/bin/install -m 555 -o root -g wheel -p rc.d.rcynic /usr/local/etc/rc.d/rcynic; then
-    echo "Installed rc.d.rcynic as /usr/local/etc/rc.d/rcynic"
-else
-    echo "Installing /usr/local/etc/rc.d/rcynic failed"
-    exit 1
-fi
-
-echo "Running /usr/local/etc/rc.d/rcynic to set up directories"
-
-if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then
-    echo "Directory setup failed"
-    exit 1
-fi
-
-if /bin/test -r "$jaildir/etc/rcynic.conf"; then
-    echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
-elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then
-    echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors"
-    for i in ../../sample-trust-anchors/*.cer; do
-	j="$jaildir/etc/trust-anchors/${i##*/}"
-	/bin/test -r "$i" || continue
-	/bin/test -r "$j" && continue
-	echo "Installing $i as $j"
-	/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
-    done
-    j=1
-    for i in $jaildir/etc/trust-anchors/*.cer; do
-	echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor.$j		= /etc/trust-anchors/${i##*/}"
-	j=$((j+1))
-    done
-else
-    echo "Installing minimal ${jaildir}/etc/rcynic.conf failed"
-    exit 1
-fi
-
-echo "Installing rcynic as ${jaildir}/bin/rcynic"
-
-/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic"
-
-if /bin/test ! -x "$jaildir/bin/rsync" -a ! -x ../../static-rsync/rsync; then
-    echo "Building static rsync for jail, this may take a little while"
-    (cd ../../static-rsync && exec make)
-fi
-
-if /bin/test -x "$jaildir/bin/rsync"; then
-    echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it"
-elif /usr/bin/install -m 555 -o root -g wheel -p ../../static-rsync/rsync "${jaildir}/bin/rsync"; then
-    echo "Installed static rsync as \"${jaildir}/bin/rsync\""
-else
-    echo "Installing static rsync failed"
-    exit 1
-fi
-
-if /usr/bin/install -m 444 -o root -g wheel -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then
-    echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\""
-else
-    echo "Installing rcynic.xsl failed"
-    exit 1
-fi
-
-echo "Setting up root's crontab to run jailed rcynic"
-
-case "$setupcron" in
-YES|yes)
-    /usr/bin/crontab -l -u root 2>/dev/null |
-    /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" '
-	BEGIN {
-	    cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir;
-	    cmd = cmd " /bin/rcynic -c /etc/rcynic.conf";
-	}
-	$0 !~ cmd {
-	    print;
-	}
-	END {
-	    "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline;
-	    printf "%u * * * *\t%s\n", $1 % 60, cmd;
-	}' |
-    /usr/bin/crontab -u root -
-    /bin/cat <<EOF
-
-	crontab is set up to run rcynic hourly, at a randomly selected
-	minute (to spread load on the rsync servers).  Please do NOT
-	adjust this to run on the hour.  In particular please do NOT
-	adjust this to run at midnight UTC.
-EOF
-    ;;
-
-*)
-    /bin/cat <<EOF
-
-	You'll need to add a crontab entry running the following command as root:
-
-	    /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf
-
-	Please try to pick a random time for this, don't just run it on the hour,
-	or at local midnight, or, worst of all, at midnight UTC.
-
-EOF
-    ;;
-
-esac
-
-/bin/cat <<EOF
-
-	Jail set up. You may need to customize $jaildir/etc/rcynic.conf.
-	If you did not install your own trust anchors, a default set
-	of SAMPLE trust anchors may have been installed for you, but
-	you, the relying party, are the only one who can decide
-	whether you trust those anchors.  rcynic will not do anything
-	useful without good trust anchors.
-
-EOF
diff --git a/rcynic/scripts/freebsd/rc.d.rcynic b/rcynic/scripts/freebsd/rc.d.rcynic
deleted file mode 100755
index b86c9b81..00000000
--- a/rcynic/scripts/freebsd/rc.d.rcynic
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh -
-#
-# $Id$
-#
-# PROVIDE: rcynic
-# REQUIRE: DAEMON
-# KEYWORD: nojail
-
-. /etc/rc.subr
-
-name="rcynic"
-start_cmd="rcynic_start"
-stop_cmd="rcynic_stop"
-
-: ${rcynic_jaildir="/var/rcynic"}
-: ${rcynic_user="rcynic"}
-: ${rcynic_group="rcynic"}
-
-rcynic_start()
-{
-	/bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}"
-	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
-
-	/usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF
-
-		/set type=dir uname=root gname=wheel mode=0555
-		.
-			bin
-			..
-			dev
-			..
-			etc
-				trust-anchors
-				..
-			..
-			var
-				run
-				..
-			..
-			data	uname=${rcynic_user} gname=${rcynic_group} mode=0755
-			..
-		..
-EOF
-
-	/bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
-	/usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc"
-
-	if ! /sbin/mount -t devfs dev "${rcynic_jaildir}/dev"; then
-		echo "Mounting devfs on ${rcynic_jaildir}/dev failed..."
-		exit 1
-	fi
-
-	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply hide
-	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path null unhide
-	/sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path random unhide
-
-	for i in /etc/localtime /etc/resolv.conf; do
-		j="${rcynic_jaildir}${i}"
-		if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
-			/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
-		fi
-	done
-}
-
-rcynic_stop()
-{
-	/sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
-}
-
-load_rc_config $name
-run_rc_command "$1"
diff --git a/rcynic/scripts/install.sh b/rcynic/scripts/install.sh
deleted file mode 100644
index 9c7fa3fb..00000000
--- a/rcynic/scripts/install.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh -
-# $Id$
-
-set -e
-
-case "$1" in
-
-freebsd*)
-	cd freebsd
-	. install.sh
-	;;
-
-# linux*) ;;
-# darwin*) ;;
-*)
-	echo 1>&2 "Don't know how to install rcynic jail on platform $uname"
-	exit 1
-	;;
-esac
diff --git a/rcynic/scripts/sample-rcynic.conf b/rcynic/scripts/sample-rcynic.conf
deleted file mode 100644
index 6e464e7e..00000000
--- a/rcynic/scripts/sample-rcynic.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# $Id$
-#
-# Sample rcynic configuration file for FreeBSD jailed environment
-
-[rcynic]
-rsync-program		= /bin/rsync
-authenticated		= /data/authenticated
-old-authenticated	= /data/authenticated.old
-unauthenticated		= /data/unauthenticated
-lockfile		= /data/lock
-jitter			= 600
-use-syslog		= true
-log-level		= log_usage_err
-
-# You need to specify some trust anchors here, eg:
-
-#trust-anchor.1		= /etc/trust-anchors/ta-1.cer
-#trust-anchor.2		= /etc/trust-anchors/ta-2.cer
-
-# or, using the "Trust Anchor Locator" form:
-
-#trust-anchor-locator.1	= /etc/trust-anchors/ta-1.tal
-#trust-anchor-locator.2	= /etc/trust-anchors/ta-2.tal
-
-# The choice between these two formats depends largely on the policies
-# of the entity generating the corresponding trust anchor, ie, will
-# probably be made for you by the generating entity.
-- 
cgit v1.2.3