Initial ecdhforce support

2 files changed, 54 insertions, 7 deletions

diff --git a/files/init.d/mumble-server.Debian b/files/init.d/mumble-server.Debian
index e7771e3..61b6808 100755
--- a/files/init.d/mumble-server.Debian
+++ b/files/init.d/mumble-server.Debian
@@ -28,6 +28,10 @@ MURMUR_DAEMON_START=0
 MURMUR_USE_CAPABILITIES=0
 MURMUR_LIMIT_NOFILE=0
 
+# ECDHE Perfect Forward Secrecy on the Murmur server via an LD_PRELOAD
+# https://github.com/ultramancool/ecdhforce
+STARTSTOP="LD_PRELOAD=/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon"
+
 # Include murmur defaults if available
 if [ -f /etc/default/$NAME ] ; then
 	. /etc/default/$NAME
@@ -49,13 +53,13 @@ case "$1" in
   	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
 	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
 	if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
-	  start-stop-daemon --start --quiet \
+	  $STARTSTOP --start --quiet \
 		--pidfile $PIDFILE \
 		--chuid $USER:$GROUP \
 		--exec $DAEMON \
 		-- $DAEMON_OPTS
 	else
-	  start-stop-daemon --start --quiet \
+	  $STARTSTOP --start --quiet \
 		--pidfile $PIDFILE \
 		--exec $DAEMON \
 		-- $DAEMON_OPTS
@@ -67,7 +71,7 @@ case "$1" in
 	;;
   stop)
   	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	start-stop-daemon --stop --quiet \
+	$STARTSTOP --stop --quiet \
 		--retry=TERM/30/KILL/5 \
 		--pidfile $PIDFILE \
 		--user $USER \
@@ -80,7 +84,7 @@ case "$1" in
 	esac
 	;;
   force-reload)
-	start-stop-daemon --stop --test --quiet \
+	$STARTSTOP --stop --test --quiet \
 		--pidfile $PIDFILE \
 		--user $USER \
 		--exec $DAEMON \
@@ -88,7 +92,7 @@ case "$1" in
 	;;
   restart)
  	[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
-	start-stop-daemon --stop --quiet \
+	$STARTSTOP --stop --quiet \
 		--retry=TERM/30/KILL/5 \
 		--pidfile $PIDFILE \
 		--user $USER \
@@ -98,13 +102,13 @@ case "$1" in
 		  	[ -d $PIDDIR ] || install -o $USER -d $PIDDIR
 			rm -f $PIDFILE
 			if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then
-			  start-stop-daemon --start --quiet \
+			  $STARTSTOP --start --quiet \
 				--pidfile $PIDFILE \
 				--chuid $USER:$GROUP \
 				--exec $DAEMON \
 				-- $DAEMON_OPTS
 			else
-			  start-stop-daemon --start --quiet \
+			  $STARTSTOP --start --quiet \
 				--pidfile $PIDFILE \
 				--exec $DAEMON \
 				-- $DAEMON_OPTS
diff --git a/manifests/ecdhforce.pp b/manifests/ecdhforce.pp
new file mode 100644
index 0000000..bdbd4c9
--- /dev/null
+++ b/manifests/ecdhforce.pp
@@ -0,0 +1,43 @@
+class mumble::ecdhforce {
+  vcsrepo { "/var/lib/mumble-server/ecdhforce":
+    ensure   => present,
+    provider => git,
+    source   => 'https://github.com/ultramancool/ecdhforce.git',
+    revision => '7b0d6564c21a1bc619307258b773da547842ebca',
+    owner    => root,
+    group    => mumble-server,
+    require  => Package[ 'mumble-server' ],
+  }
+
+  package { [ 'gcc', 'libssl-dev' ]:
+    ensure => present,
+  }
+
+  exec { 'ecdhforce-compile':
+    cwd     => '/var/lib/mumble-server/ecdhforce',
+    command => 'gcc -Wall -fPIC -DPIC -c ecdhforce.c',
+    require => [ Vcsrepo['/var/lib/mumble-server/ecdhforce'], Package['gcc'], Package['libssl-dev'] ],
+    creates => '/var/lib/mumble-server/ecdhforce/ecdhforce.o',
+    user    => root,
+    group   => root,
+  }
+
+  exec { 'ecdhforce-link':
+    cwd     => '/var/lib/mumble-server/ecdhforce',
+    command => 'ld -shared -o ecdhforce.so ecdhforce.o -ldl',
+    require => Exec['ecdhforce-compile'],
+    creates => '/var/lib/mumble-server/ecdhforce/ecdhforce.so',
+    user    => root,
+    group   => root,
+  }
+
+  file { '/etc/init.d/mumble-server':
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => 0755,
+    source  => "puppet:///modules/mumble/init.d/mumble-server.${::operatingsystem}",
+    require => Exec['ecdhforce-link'],
+    notify  => Service['mumble-server'],
+  }
+}