From nobody Thu Sep 19 01:02:06 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8HKp6rhtz5WVll;
	Thu, 19 Sep 2024 01:02:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4X8HKp6LQvz4FTW;
	Thu, 19 Sep 2024 01:02:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1726707726;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=DuSnc9yLktzv0glYOCDGKBY8hGl6hb5rJ/x8nuqaz00=;
	b=wVxICuTfHR1hltnUsSFlF49Z+RDDDYYVqh4NWM2RIrIffTPAozuCrpWucTd1q/ip9Lnhqt
	QD3ZuNkJHidNQunSK583yOwMydjkmHQCmh/edkDFpS6bnY5FHfwP4ImV+e9AVz8KR1Q22m
	WwkzgdCO3LL0J3dALj0G45Rs4XFb5dVaQjb2+4iC9TF8mBCdwkCFoC6MBnfBMxAoggJvpR
	aq83VCFJt1TdndtaszG/iDzc3LsV1/XFUcTvLGR2mEHQC0NVoXhjOUxxdGtSkzAR7PLtzt
	/bGViaa3mZ7+FvXOJI5pdKrW5YX+RTiFAciUYwik+V9NExmYztMIVitci9YNaw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726707726; a=rsa-sha256; cv=none;
	b=DE8iwXMYHnC2hJQqW8WDAyLSJV2394OXCPAY3t0vs9DZcxNza51+wSb5gd3fwEF6QlW617
	ISCpGwTFcMPjYCe8vkwJXpYyuZOmy9v3cS1c/i0KiDc094dc5+TO2QbxvqPRv/smUsLYHS
	FYs8EnvX7M5Q5tyYUgok4hBkfN2c/hB9sgYU+O0xb/T3feiw1tvNDQflwYCdbYgfbrft1y
	BCHPKlu5OyCsg/IkHeq8hvA0zmED+JRm8MGjLhpUfxnzkXyCIVem3g/ccd5DXiuc2nHh/0
	eFNyl021aaVODcvH42nUeCNFnaolHViz2RbYhhLzf1o4dFBQfj64HUHvnrY62g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1726707726;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=DuSnc9yLktzv0glYOCDGKBY8hGl6hb5rJ/x8nuqaz00=;
	b=eiTi2xpFKr2cZL9uUZX6LZv3EjnPdUvW6w0apDwDA15LuNOfMt7yVYsUTxxvFOW5HU3nIX
	Ei3f6tAy8lCAz5gkPfqD1NKCeZFdTX5EAY5iTuzV17TCXIgN82F3b9FIUUXGoxlAv1jXUG
	hNwvlfOWghvOgc1gUovmfqBsV0wmb69qTkEU2kQ3QxIx/2XCCJV8BcNMOTfa1VRoNYCP2y
	GIg1WTClmwckVeH6pV7siurEogQ0GYe+TG2wskWQ7Zq7hoDQzj99wlIcpoGDuedD2uJns/
	2hd9xAiy+ms/43KKPxlyoe5yN4NhnZ+Kff1g7HwXDX5hp8L5VDRv4MVL/+XEyg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8HKp5xY5zlFg;
	Thu, 19 Sep 2024 01:02:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48J126Eg072488;
	Thu, 19 Sep 2024 01:02:06 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48J126L7072485;
	Thu, 19 Sep 2024 01:02:06 GMT
	(envelope-from git)
Date: Thu, 19 Sep 2024 01:02:06 GMT
Message-Id: <202409190102.48J126L7072485@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Vladimir Druzenko <vvd@FreeBSD.org>
Subject: git: a9cd810269d1 - main - security/openbao: New port:
  open source, community-driven fork of Vault
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: vvd
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a9cd810269d14464f96a966c1fb9ee8fb46e937c
Auto-Submitted: auto-generated

The branch main has been updated by vvd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a9cd810269d14464f96a966c1fb9ee8fb46e937c

commit a9cd810269d14464f96a966c1fb9ee8fb46e937c
Author:     jake <jake@metalrip.com>
AuthorDate: 2024-09-19 01:00:38 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-09-19 01:00:38 +0000

    security/openbao: New port: open source, community-driven fork of Vault
    
    OpenBao exists to provide a software solution to manage, store, and
    distribute sensitive data including secrets, certificates, and keys.
    The OpenBao community intends to provide this software under an
    OSI-approved open-source license, led by a community run under open
    governance principles.
    
    https://openbao.org
    https://github.com/openbao/openbao
    
    PR:     280619
---
 GIDs                                  |  2 +-
 UIDs                                  |  2 +-
 security/Makefile                     |  1 +
 security/openbao/Makefile             | 43 +++++++++++++++++
 security/openbao/distinfo             | 15 ++++++
 security/openbao/files/openbao.in     | 89 +++++++++++++++++++++++++++++++++++
 security/openbao/files/pkg-message.in | 25 ++++++++++
 security/openbao/pkg-descr            |  4 ++
 8 files changed, 179 insertions(+), 2 deletions(-)

diff --git a/GIDs b/GIDs
index f1ee5df2c001..141d231797f1 100644
--- a/GIDs
+++ b/GIDs
@@ -422,7 +422,7 @@ prometheus:*:478:
 alertmanager:*:479:
 datadog:*:480:
 promxy:*:481:
-# free: 482
+openbao:*:482:
 # free: 483
 # free: 484
 # free: 485
diff --git a/UIDs b/UIDs
index f08bffe259fb..ce212d8f54c8 100644
--- a/UIDs
+++ b/UIDs
@@ -427,7 +427,7 @@ prometheus:*:478:478::0:0:Prometheus Daemon:/var/tmp/prometheus:/usr/sbin/nologi
 alertmanager:*:479:479::0:0:Alertmanager Daemon:/var/tmp/alertmanager:/usr/sbin/nologin
 datadog:*:480:480::0:0:DataDog Agent:/var/db/datadog:/usr/sbin/nologin
 promxy:*:481:481::0:0:Promxy Daemon:/nonexistent:/usr/sbin/nologin
-# free: 482
+openbao:*:482:482:daemon:0:0:OpenBao Daemon:/nonexistent:/usr/sbin/nologin
 # free: 483
 # free: 484
 # free: 485
diff --git a/security/Makefile b/security/Makefile
index a467e32175b7..7bb427dbe75c 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -427,6 +427,7 @@
     SUBDIR += olm
     SUBDIR += onionscan
     SUBDIR += op
+    SUBDIR += openbao
     SUBDIR += openbsm
     SUBDIR += openca-ocspd
     SUBDIR += openconnect
diff --git a/security/openbao/Makefile b/security/openbao/Makefile
new file mode 100644
index 000000000000..d51626734576
--- /dev/null
+++ b/security/openbao/Makefile
@@ -0,0 +1,43 @@
+PORTNAME=	openbao
+DISTVERSIONPREFIX=	v
+DISTVERSION=	2.0.1
+CATEGORIES=	security
+MASTER_SITES+=	https://raw.githubusercontent.com/${PORTNAME}/${PORTNAME}/${DISTVERSIONFULL}/
+DISTFILES=	go.mod \
+		api/go.mod \
+		api/auth/approle/go.mod \
+		api/auth/kubernetes/go.mod \
+		api/auth/userpass/go.mod \
+		sdk/go.mod
+
+MAINTAINER=	jake@metalrip.com
+COMMENT=	Tool for securely accessing secrets
+WWW=		https://openbao.org/
+
+LICENSE=	MPL20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		go:1.22,modules
+USE_GITHUB=	yes
+USE_RC_SUBR=	${PORTNAME}
+
+GO_MODULE=	github.com/${PORTNAME}/${PORTNAME}
+GO_TARGET=	:${BIN_NAME}
+GO_BUILDFLAGS=	-ldflags="-s \
+		-X ${GO_MODULE}/version.GitCommit=${GITID} \
+		-X ${GO_MODULE}/version.BuildDate=${SOURCE_DATE_EPOCH} \
+		-X ${GO_MODULE}/version.fullVersion=${DISTVERSION}"
+
+SUB_FILES=	pkg-message
+SUB_LIST=	USER=${USERS} GROUP=${GROUPS}
+USERS=		${PORTNAME}
+GROUPS=		${PORTNAME}
+
+PLIST_FILES=	bin/${BIN_NAME}
+
+BIN_NAME=		bao
+GITID=			700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3
+SOURCE_DATE_EPOCH=	${TIMEEPOCHNOW:gmtime}
+TIMEEPOCHNOW=		%Y-%m-%dT%H:%M:%SZ
+
+.include <bsd.port.mk>
diff --git a/security/openbao/distinfo b/security/openbao/distinfo
new file mode 100644
index 000000000000..62c87346076f
--- /dev/null
+++ b/security/openbao/distinfo
@@ -0,0 +1,15 @@
+TIMESTAMP = 1726704320
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 07afdd23371122e726777b23ce81437992633589629dcaadc173109f58ba5e98
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 18131
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = aae819cfafff9f54e6e58983b0277797a4744df72f7db2e3d81ffac32ce960b6
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = 1525
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 37d743ea994960230616092168903b7e806607fbda94757b28d646be105bee4c
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 182
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = cf1312fefbf43849805eb13b283556f500f246635c4f39f459908d854dacf41a
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = 185
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 41994758ed7b2ba521e641b3ea77a46371e748ce675fffd39ed1b87eb64342ec
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 183
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = df45cdcb8dd0c366f9b49ed401f2a9087a28f8d25fdef627d0998dfca0449eda
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = 4653
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 820f9dcc1a42982dbdb87fefceb714e2a9600f5aeeeafcf1ea2509c774d1a42f
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 15762632
diff --git a/security/openbao/files/openbao.in b/security/openbao/files/openbao.in
new file mode 100644
index 000000000000..27989dfd3e77
--- /dev/null
+++ b/security/openbao/files/openbao.in
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# PROVIDE: openbao
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# openbao_enable (bool):		Set it to YES to enable openbao.
+#					Default is "NO".
+# openbao_user (user):			Set user to run openbao.
+#					Default is "%%USER%%".
+# openbao_group (group):		Set group to run openbao.
+#					Default is "%%GROUP%%".
+# openbao_config (file):		Set openbao config file.
+#					Default is "%%PREFIX%%/etc/openbao.hcl".
+# openbao_syslog_output_enable (bool):	Set to enable syslog output.
+#					Default is "NO". See daemon(8).
+# openbao_syslog_output_priority (str):	Set syslog priority if syslog enabled.
+#					Default is "info". See daemon(8).
+# openbao_syslog_output_facility (str):	Set syslog facility if syslog enabled.
+#					Default is "daemon". See daemon(8).
+# openbao_limits_mlock (size):		Allowed memorylocked value in size.
+#					Default is 1024M.
+
+. /etc/rc.subr
+
+name=openbao
+rcvar=openbao_enable
+
+load_rc_config $name
+
+: ${openbao_enable:="NO"}
+: ${openbao_user:="%%USER%%"}
+: ${openbao_group:="%%GROUP%%"}
+: ${openbao_config:="%%PREFIX%%/etc/openbao.hcl"}
+: ${openbao_limits_mlock:="1024M"}
+: ${openbao_limits:="-l ${openbao_limits_mlock}"}
+
+DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?)
+if [ ${DAEMON} -eq 0 ]; then
+	: ${openbao_syslog_output_enable:="NO"}
+	: ${openbao_syslog_output_priority:="info"}
+	: ${openbao_syslog_output_facility:="daemon"}
+	if checkyesno openbao_syslog_output_enable; then
+		openbao_syslog_output_flags="-T ${name}"
+
+		if [ -n "${openbao_syslog_output_priority}" ]; then
+			openbao_syslog_output_flags="${openbao_syslog_output_flags} -s ${openbao_syslog_output_priority}"
+		fi
+
+		if [ -n "${openbao_syslog_output_facility}" ]; then
+			openbao_syslog_output_flags="${openbao_syslog_output_flags} -l ${openbao_syslog_output_facility}"
+		fi
+	fi
+else
+	openbao_syslog_output_enable="NO"
+	openbao_syslog_output_flags=""
+fi
+
+pidfile=/var/run/openbao.pid
+procname="%%PREFIX%%/bin/bao"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} ${openbao_syslog_output_flags} -p ${pidfile} /usr/bin/env ${openbao_env} ${procname} server -config=${openbao_config}"
+
+extra_commands="reload monitor"
+monitor_cmd=openbao_monitor
+start_precmd=openbao_startprecmd
+required_files="$openbao_config"
+
+openbao_monitor()
+{
+	sig_reload=USR1
+	run_rc_command "reload"
+}
+
+openbao_startprecmd()
+{
+	if [ ! -e ${pidfile} ]; then
+		install -o ${openbao_user} -g ${openbao_group} /dev/null ${pidfile};
+	fi
+
+	if [ ! -d ${openbao_dir} ]; then
+		install -d -o ${openbao_user} -g ${openbao_group} ${openbao_dir}
+	fi
+}
+
+run_rc_command "$1"
diff --git a/security/openbao/files/pkg-message.in b/security/openbao/files/pkg-message.in
new file mode 100644
index 000000000000..31d07d759a13
--- /dev/null
+++ b/security/openbao/files/pkg-message.in
@@ -0,0 +1,25 @@
+[
+{ type: install
+  message: <<EOM
+The %%USER%% user created by the bao package is now a member of the daemon
+class, which will allow it to use mlock() when started by the rc script. This
+will not be reflected in systems where the user already exists. Please add the
+bao user to the daemon class manually by running:
+
+pw usermod -L daemon -n %%USER%%
+
+or delete the user and reinstall the package.
+
+You may also need to increase memorylocked for the daemon class in
+/etc/rc.conf to more than 1024M (the default) or more:
+
+openbao_limits_mlock="2048M"
+
+Or to disable mlock, add:
+
+disable_mlock = 1
+
+to %%PREFIX%%/etc/openbao.hcl
+EOM
+}
+]
diff --git a/security/openbao/pkg-descr b/security/openbao/pkg-descr
new file mode 100644
index 000000000000..4645826c021f
--- /dev/null
+++ b/security/openbao/pkg-descr
@@ -0,0 +1,4 @@
+OpenBao is a tool for securely accessing secrets. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, certificates,
+and more. OpenBao provides a unified interface to any secret, while providing
+tight access control and recording a detailed audit log.