Adapt to recent changes in monotone as the current package does not work

appropriately otherwise.

- The server keypair is now stored and read from ${PKG_SYSCONFDIR}/keys
  instead of being inside the database.
- Provide and use two files (read-permissions and write-permissions) to
  set up netsync's access control.
- During monotone-server-init, run monotone under the unprivileged user
  so that it creates files in the correct places (if any).
- Add a note to monotone-server-init to let the user ensure that the
  UID and GID are correct.  (I always get them wrong otherwise.)
- Make the rc.d script print a "divisory" line in the log file so that
  different sections are easy to distinguish.

Bump PKGREVISION to 2.

7 files changed, 72 insertions, 37 deletions

diff --git a/devel/monotone-server/Makefile b/devel/monotone-server/Makefile
index 59c55ba2425..84e680cc502 100644
--- a/devel/monotone-server/Makefile
+++ b/devel/monotone-server/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2006/02/05 23:08:48 joerg Exp $
+# $NetBSD: Makefile,v 1.16 2006/02/21 16:09:16 jmmv Exp $
 #
 
 DISTNAME=	monotone-server-0.25
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	devel
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -21,6 +21,8 @@ WRKSRC=		${WRKDIR}
 RCD_SCRIPTS=		monotone
 
 PKG_SYSCONFSUBDIR=	monotone-server
+OWN_DIRS_PERMS=		${PKG_SYSCONFDIR}/keys \
+			${MONOTONE_USER} ${MONOTONE_GROUP} 700
 
 BUILD_DEFS+=		MONOTONE_GROUP MONOTONE_USER
 
@@ -31,6 +33,12 @@ CONF_FILES_PERMS=	${EXAMPLEDIR}/branches.conf \
 CONF_FILES_PERMS+=	${EXAMPLEDIR}/hooks.conf \
 			${PKG_SYSCONFDIR}/hooks.conf \
 			${MONOTONE_USER} ${MONOTONE_GROUP} 600
+CONF_FILES_PERMS+=	${EXAMPLEDIR}/read-permissions \
+			${PKG_SYSCONFDIR}/read-permissions \
+			${MONOTONE_USER} ${MONOTONE_GROUP} 600
+CONF_FILES_PERMS+=	${EXAMPLEDIR}/write-permissions \
+			${PKG_SYSCONFDIR}/write-permissions \
+			${MONOTONE_USER} ${MONOTONE_GROUP} 600
 
 PKG_USERS=		${MONOTONE_USER}:${MONOTONE_GROUP}::Monotone\ dedicated\ server:${VARBASE}/monotone:${SH}
 PKG_GROUPS=		${MONOTONE_GROUP}
@@ -52,7 +60,8 @@ FILES_SUBST+=		MONOTONE_USER=${MONOTONE_USER:Q}
 INSTALLATION_DIRS=	sbin
 
 do-extract:
-.for f in branches.conf hooks.conf monotone-server-init.sh
+.for f in branches.conf hooks.conf monotone-server-init.sh read-permissions \
+          write-permissions
 	${CP} ${FILESDIR}/${f} ${WRKSRC}
 .endfor
 
@@ -62,5 +71,9 @@ do-install:
 	${INSTALL_DATA_DIR} ${EXAMPLEDIR}
 	${INSTALL_DATA} ${WRKSRC}/branches.conf ${EXAMPLEDIR}/branches.conf
 	${INSTALL_DATA} ${WRKSRC}/hooks.conf ${EXAMPLEDIR}/hooks.conf
+	${INSTALL_DATA} ${WRKSRC}/read-permissions \
+		${EXAMPLEDIR}/read-permissions
+	${INSTALL_DATA} ${WRKSRC}/write-permissions \
+		${EXAMPLEDIR}/write-permissions
 
 .include "../../mk/bsd.pkg.mk"
diff --git a/devel/monotone-server/PLIST b/devel/monotone-server/PLIST
index 66bd20400c9..4418dd476c7 100644
--- a/devel/monotone-server/PLIST
+++ b/devel/monotone-server/PLIST
@@ -1,6 +1,8 @@
-@comment $NetBSD: PLIST,v 1.2 2005/05/02 20:33:59 reed Exp $
+@comment $NetBSD: PLIST,v 1.3 2006/02/21 16:09:16 jmmv Exp $
 sbin/monotone-server-init
 share/examples/monotone-server/branches.conf
 share/examples/monotone-server/hooks.conf
+share/examples/monotone-server/read-permissions
+share/examples/monotone-server/write-permissions
 share/examples/rc.d/monotone
 @dirrm share/examples/monotone-server
diff --git a/devel/monotone-server/files/hooks.conf b/devel/monotone-server/files/hooks.conf
index 47874fd687c..11f0f78047c 100644
--- a/devel/monotone-server/files/hooks.conf
+++ b/devel/monotone-server/files/hooks.conf
@@ -1,30 +1,12 @@
--- $NetBSD: hooks.conf,v 1.3 2005/08/13 11:19:44 jmmv Exp $
+-- $NetBSD: hooks.conf,v 1.4 2006/02/21 16:09:16 jmmv Exp $
 -- 
 -- This file belongs to the monotone-server package.  This is the typical
 -- ~/.monotonerc configuration file, but is system-wide.
 -- 
 
 function get_passphrase(identity)
---    if (identity == "PUT_KEYNAME_HERE") then
---        return "PUT_PASSPHRASE_HERE"
---    end
-    return false
-end
-
-function get_netsync_read_permitted (branch, identity)
---    if (branch == "net.example.project1") then
---        if (identity == nil) then return true end
---        if (identity == "user1@example.org") then return true end
---    end
---    if (branch == "net.example.project2.subbranch") then
---        if (identity == "user1@example.org") then return true end
---        if (identity == "user2@example.org") then return true end
---    end
-    return false
-end
-
-function get_netsync_write_permitted (identity)
---    if (identity == "user1@example.org") then return true end
---    if (identity == "user2@example.org") then return true end
+    if (identity == "PUT_KEYNAME_HERE") then
+        return "PUT_PASSPHRASE_HERE"
+    end
     return false
 end
diff --git a/devel/monotone-server/files/monotone-server-init.sh b/devel/monotone-server/files/monotone-server-init.sh
index 8dd4ed60492..f3433ace9ea 100644
--- a/devel/monotone-server/files/monotone-server-init.sh
+++ b/devel/monotone-server/files/monotone-server-init.sh
@@ -1,6 +1,6 @@
 #!@SH@
 #
-# $NetBSD: monotone-server-init.sh,v 1.2 2006/02/20 16:54:42 jmmv Exp $
+# $NetBSD: monotone-server-init.sh,v 1.3 2006/02/21 16:09:16 jmmv Exp $
 #
 
 progname=$(basename $0)
@@ -17,6 +17,21 @@ if [ $(id -u) -ne 0 ]; then
 fi
 
 cat <<EOF
+The following user and group will be used to run the monotone server
+process under a restricted account:
+
+    User name \`${MONOTONE_USER}', UID \``id -u monotone`'
+    Group name \`${MONOTONE_GROUP}', GID \``id -g monotone`'
+
+If either the UID or the GID are inappropriate, please abort this
+script now, correct them and restart the utility so that all the
+files are created with the correct ownerships.
+
+Press RETURN to continue or CTRL-C to abort.
+EOF
+read key
+
+cat <<EOF
 The monotone package is currently configured to use the
 ${VARBASE}/monotone directory to hold the public database.
 You may now change this default path to something else that is
@@ -65,7 +80,8 @@ fi
 cd ${home}
 
 echo "Initializing database: \`${home}/monotone.db'"
-${MONOTONE} --db=monotone.db db init
+su - ${MONOTONE_USER} -c "${MONOTONE} --confdir=${PKG_SYSCONFDIR} \
+    --db=monotone.db db init"
 
 cat <<EOF
 
@@ -76,9 +92,12 @@ you can forget about it (assuming you have a safe copy).
 
 EOF
 
-${MONOTONE} --db=monotone.db genkey ${keyname}
-${MONOTONE} --db=monotone.db pubkey ${keyname} >${keyname}-public
-${MONOTONE} --db=monotone.db privkey ${keyname} >${keyname}-private
+su - ${MONOTONE_USER} -c "${MONOTONE} --confdir=${PKG_SYSCONFDIR} \
+    --db=monotone.db genkey ${keyname}"
+su - ${MONOTONE_USER} -c "${MONOTONE} --confdir=${PKG_SYSCONFDIR} \
+    --db=monotone.db pubkey ${keyname} >${keyname}-public"
+su - ${MONOTONE_USER} -c "${MONOTONE} --confdir=${PKG_SYSCONFDIR} \
+    --db=monotone.db privkey ${keyname} >${keyname}-private"
 
 chown ${MONOTONE_USER}:${MONOTONE_GROUP} monotone.db \
       ${keyname}-public ${keyname}-private
@@ -90,17 +109,18 @@ cat <<EOF
 
 Initialization process finished!
 
-You should now backup the following files and store them in a safe place
-in case you need to reconstruct the database from scratch:
+You should now backup the following file and store it in a safe place.
+It contains the key pair that authenticates your server:
 
-    ${home}/${keyname}-public
-    ${home}/${keyname}-private
+    ${PKG_SYSCONFDIR}/keys/${keyname}
 
 At last, edit the following files to finish the configuration of your
 new server:
 
     ${PKG_SYSCONFDIR}/branches.conf
     ${PKG_SYSCONFDIR}/hooks.conf
+    ${PKG_SYSCONFDIR}/read-permissions
+    ${PKG_SYSCONFDIR}/write-permissions
 
 Once finished, use the installed rc.d script (monotone) to start the
 dedicated server process.
diff --git a/devel/monotone-server/files/monotone.sh b/devel/monotone-server/files/monotone.sh
index e5cc8bf127a..e875a7015a6 100644
--- a/devel/monotone-server/files/monotone.sh
+++ b/devel/monotone-server/files/monotone.sh
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: monotone.sh,v 1.2 2005/12/02 17:56:25 jmmv Exp $
+# $NetBSD: monotone.sh,v 1.3 2006/02/21 16:09:16 jmmv Exp $
 #
 # PROVIDE: monotone
 # REQUIRE: DAEMON
@@ -23,13 +23,22 @@ name="monotone"
 rcvar=${name}
 command="@PREFIX@/bin/monotone"
 command_args="--norc \
-              --rcfile=@PKG_SYSCONFDIR@/hooks.conf \
+              --confdir=@PKG_SYSCONFDIR@ \
               --db=${monotone_home}/monotone.db \
+              --rcfile=@PKG_SYSCONFDIR@/hooks.conf \
               serve ${monotone_branches} \
               >>${monotone_home}/monotone.log 2>&1 &"
+required_dirs="@PKG_SYSCONFDIR@/keys"
 required_files="@PKG_SYSCONFDIR@/branches.conf \
                 @PKG_SYSCONFDIR@/hooks.conf \
+                @PKG_SYSCONFDIR@/read-permissions \
+                @PKG_SYSCONFDIR@/write-permissions \
                 ${monotone_home}/monotone.db"
+start_precmd="monotone_start_precmd"
+
+monotone_start_precmd() {
+	echo "=> Session started at `date`" >>${monotone_home}/monotone.log
+}
 
 load_rc_config $name
 run_rc_command "$1"
diff --git a/devel/monotone-server/files/read-permissions b/devel/monotone-server/files/read-permissions
new file mode 100644
index 00000000000..d08200aa005
--- /dev/null
+++ b/devel/monotone-server/files/read-permissions
@@ -0,0 +1,7 @@
+pattern "net.example.project.{private,security}*"
+allow "joe@example.net"
+allow "jim@example.net"
+
+comment "everyone can read these branches"
+pattern "net.example.{public,project}*"
+allow "*"
diff --git a/devel/monotone-server/files/write-permissions b/devel/monotone-server/files/write-permissions
new file mode 100644
index 00000000000..1b138c7fc6c
--- /dev/null
+++ b/devel/monotone-server/files/write-permissions
@@ -0,0 +1,2 @@
+joe@example.net
+jim@example.net