Update turnkey init fence

bin/turnkey-init-fence

@@ -0,0 +1,80 @@
+#!/bin/bash -eu
+
+# TurnKey web interface fence - blocks access to web app until system is
+# initialized (admin password configure, etc)
+
+iptables_delete_redirect() {
+    local dport=$1
+    local to_port=$2
+
+    while true; do
+        (2>&1 iptables -t nat -D PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port") > /dev/null || break
+    done
+}
+
+iptables_add_redirect() {
+    local dport=$1
+    local to_port=$2
+
+    iptables_delete_redirect "$dport" "$to_port"
+    iptables -t nat -A PREROUTING -p tcp --dport "$dport" -j REDIRECT --to-port "$to_port"
+}
+
+iptables_unensure_accept() {
+    # remove ACCEPT line for fence ports (used in appliances that have a
+    # `filter` policy of `DROP`)
+    local dport=$1
+    while true; do
+        (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT) > /dev/null || break
+    done
+}
+
+iptables_ensure_accept() {
+    # add ACCEPT line for fence ports (used in appliances that have a
+    # `filter` policy of `DROP`)
+    local dport=$1
+    iptables_unensure_accept "$dport"
+    iptables -t filter -A INPUT -p tcp -m tcp --dport "$dport" -j ACCEPT
+}
+
+iptables_redirect() {
+    local op
+    local mop
+    local port
+    case "$1" in
+      start)
+          op=iptables_add_redirect
+          mop=iptables_ensure_accept
+        ;;
+      stop)
+          op=iptables_delete_redirect
+          mop=iptables_unensure_accept
+        ;;
+    esac
+
+    for port in "${HTTP_PORTS[@]}"; do
+        $op "$port" "$HTTP_FENCE_PORT"
+    done
+
+    for port in "${HTTPS_PORTS[@]}"; do
+        $op "$port" "$HTTPS_FENCE_PORT"
+    done
+
+    $mop "$HTTP_FENCE_PORT"
+    $mop "$HTTPS_FENCE_PORT"
+}
+
+case "$1" in
+    start)
+	    echo "Starting turnkey-init-fence"
+        iptables_redirect start
+	    ;;
+    stop)
+	    echo "Stopping turnkey-init-fence"
+        iptables_redirect stop
+	    ;;
+	*)
+		echo "Unknown command: $1" >&2
+        exit 1
+		;;
+esac

debian/inithooks.install

@@ -5,8 +5,8 @@ everyboot.d/*                           /usr/lib/inithooks/everyboot.d
 run                                     /usr/lib/inithooks
 rsyslog.d/*                             /etc/rsyslog.d
 
-turnkey-init-fence/turnkey-init-fence   /etc/init.d
-turnkey-init-fence/htdocs               /var/lib/inithooks/turnkey-init-fence
+turnkey-init-fence/turnkey-init-fence.service   /usr/lib/systemd/system
+turnkey-init-fence/htdocs               /usr/lib/inithooks/turnkey-init-fence
 
 turnkey-init                            /usr/sbin
 turnkey-sudoadmin                       /usr/sbin

default/turnkey-init-fence

@@ -1,6 +1,6 @@
-WEBROOT=/var/lib/inithooks/turnkey-init-fence/htdocs
-HTTP_PORTS=80
-HTTPS_PORTS="443 12321 12320"
+WEBROOT=/usr/lib/inithooks/turnkey-init-fence/htdocs
+HTTP_PORTS=(80)
+HTTPS_PORTS=(443 12321 12322)
 
 RUNAS=nobody
 

turnkey-init-fence/turnkey-init-fence.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=TurnKey Initialization web interface fence
+After=network.target network-online.target
+After=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+Before=apache2.service nginx.service lighttpd.service
+
+[Service]
+Type=one-shot
+EnvironmentFile=/etc/default/turnkey-init-fence
+ExecStart=/usr/lib/inithooks/bin/turnkey-init-fence start
+ExecStop=/usr/lib/inithooks/bin/turnkey-init-fence stop
+
+[Install]
+WantedBy=multi-user.target