4 files changed, 380 insertions, 0 deletions
diff --git a/security/trillian/files/trillian_log_server.conf b/security/trillian/files/trillian_log_server.conf
new file mode 100644
index 000000000000..223f0afeca24
--- /dev/null
+++ b/security/trillian/files/trillian_log_server.conf
@@ -0,0 +1,141 @@
+# NOTE: Comments are NOT allowed. Please remove ALL comments (including this
+# one) and add each command line argument desired. See
+# https://github.com/google/trillian/issues/2724 for details.
+
+# log to standard error as well as files
+#--alsologtostderr
+
+# Fraction of merkle keyspace to dequeue from, set to zero to disable. (default 0.75)
+#--cloudspanner_dequeue_bucket_fraction float
+
+# Interval betweek pinging sessions.
+#--cloudspanner_healthcheck_interval duration
+
+# Max concurrent create session requests.
+#--cloudspanner_max_burst_sessions uint
+
+# Max idle sessions.
+#--cloudspanner_max_idle_sessions uint
+
+# Max open sessions.
+#--cloudspanner_max_open_sessions uint
+
+# Min open sessions.
+#--cloudspanner_min_open_sessions uint
+
+# Number of gRPC channels to use to talk to CloudSpanner.
+#--cloudspanner_num_channels int
+
+# Number of health check workers for Spanner session pool.
+#--cloudspanner_num_healthcheckers int
+
+# How far in the past to perform readonly operations. Within limits, raising this should help to increase performance/reduce latency. (default 1m0s)
+#--cloudspanner_readonly_staleness duration
+
+# determines whether the session pool will keep track of the stacktrace of the goroutines that take sessions from the pool.
+#--cloudspanner_track_session_handles
+
+# Connection URI for CloudSpanner database
+#--cloudspanner_uri string
+
+# Fraction of write capable sessions to maintain.
+#--cloudspanner_write_sessions float
+
+# Config file containing flags, file contents can be overridden by command line flags
+#--config string
+
+# If set, write CPU profile to this file
+#--cpuprofile string
+
+# Service name to announce our HTTP endpoint under (default "trillian-logserver-http")
+#--etcd_http_service string
+
+# A comma-separated list of etcd servers; no etcd registration if empty
+#--etcd_servers string
+
+# Service name to announce ourselves under (default "trillian-logserver")
+#--etcd_service string
+
+# Timeout used during healthz checks (default 5s)
+#--healthz_timeout duration
+
+# Endpoint for HTTP metrics (host:port, empty means disabled) (default "localhost:8091")
+#--http_endpoint string
+
+# when logging hits line file:N, emit a stack trace
+#--log_backtrace_at value
+
+# If non-empty, write log files in this directory
+#--log_dir string
+
+# log to standard error instead of files
+#--logtostderr
+
+# Max number of unsequenced rows before rate limiting kicks in. Only effective for quota_system=mysql. (default 500000)
+#--max_unsequenced_rows int
+
+# If set, write memory profile to this file
+#--memprofile string
+
+# Maximum connections to the database
+#--mysql_max_conns int
+
+# Maximum idle database connections in the connection pool (default -1)
+#--mysql_max_idle_conns int
+
+# Connection URI for MySQL database (default "test:zaphod@tcp(127.0.0.1:3306)/test")
+#--mysql_uri string
+
+# Max number of concurrent workers concurrently populating subtrees (default 256)
+#--populate_subtree_concurrency int
+
+# If true no requests are blocked due to lack of tokens
+#--quota_dry_run
+
+# Max number of quota specs in the quota cache. Zero or lower means batching is disabled. Applicable for etcd quotas. (default 1000)
+#--quota_max_cache_entries int
+
+# Minimum number of tokens to request from the quota system. Zero or lower means batching is disabled. Applicable for etcd quotas. (default 100)
+#--quota_min_batch_size int
+
+# Quota system to use. One of: [noop etcd mysql] (default "mysql")
+#--quota_system string
+
+# Endpoint for RPC requests (host:port) (default "localhost:8090")
+#--rpc_endpoint string
+
+# logs at or above this threshold go to stderr
+#--stderrthreshold value
+
+# Storage system to use. One of: [mysql cloud_spanner] (default "mysql")
+#--storage_system string
+
+# Path to the TLS server certificate. If unset, the server will use unsecured connections.
+#--tls_cert_file string
+
+# Path to the TLS server key. If unset, the server will use unsecured connections.
+#--tls_key_file string
+
+# If true opencensus Stackdriver tracing will be enabled. See https://opencensus.io/.
+#--tracing
+
+# Percent of requests to be traced. Zero is a special case to use the DefaultSampler
+#--tracing_percent int
+
+# project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.
+#--tracing_project_id string
+
+# Minimum interval between tree garbage collection sweeps. Actual runs happen randomly between [minInterval,2*minInterval). (default 4h0m0s)
+#--tree_delete_min_run_interval duration
+
+# Minimum period a tree has to remain deleted before being hard-deleted (default 168h0m0s)
+#--tree_delete_threshold duration
+
+# If true, tree garbage collection (hard-deletion) is periodically performed (default true)
+#--tree_gc
+
+# log level for V logs
+#--v value
+
+# comma-separated list of pattern=N settings for file-filtered logging
+#--vmodule value
diff --git a/security/trillian/files/trillian_log_server.in b/security/trillian/files/trillian_log_server.in
new file mode 100644
index 000000000000..c53fdc75cdd6
--- /dev/null
+++ b/security/trillian/files/trillian_log_server.in
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: trillian_log_server
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# trillian_log_server_enable (bool):	Set it to YES to enable trillian_log_server.
+#			Default is "NO".
+# trillian_log_server_user (user):	Set user to run trillian_log_server.
+#			Default is "trillian".
+# trillian_log_server_group (group):	Set group to run trillian_log_server.
+#			Default is "trillian".
+# trillian_log_server_config (file):	Set trillian_log_server config file.
+#			Default is "%%PREFIX%%/etc/trillian/trillian_log_server.conf".
+
+. /etc/rc.subr
+
+name=trillian_log_server
+rcvar=trillian_log_server_enable
+
+load_rc_config $name
+
+: ${trillian_log_server_enable:="NO"}
+: ${trillian_log_server_user:="trillian"}
+: ${trillian_log_server_group:="trillian"}
+: ${trillian_log_server_config:="%%PREFIX%%/etc/trillian/trillian_log_server.conf"}
+
+pidfile=/var/run/trillian_log_server.pid
+procname="%%PREFIX%%/bin/trillian_log_server"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} -p ${pidfile} ${procname} server -config=${trillian_log_server_config}"
+
+start_precmd=trillian_log_server_startprecmd
+required_files="$trillian_log_server_config"
+
+trillian_log_server_startprecmd()
+{
+        if [ ! -e ${pidfile} ]; then
+                install -o ${trillian_log_server_user} -g ${trillian_log_server_group} /dev/null ${pidfile};
+        fi
+}
+
+run_rc_command "$1"
diff --git a/security/trillian/files/trillian_log_signer.conf b/security/trillian/files/trillian_log_signer.conf
new file mode 100644
index 000000000000..c5f400b336a4
--- /dev/null
+++ b/security/trillian/files/trillian_log_signer.conf
@@ -0,0 +1,147 @@
+# NOTE: Comments are NOT allowed. Please remove ALL comments (including this
+# one) and add each command line argument desired. See
+# https://github.com/google/trillian/issues/2724 for details.
+
+# log to standard error as well as files
+#--alsologtostderr
+
+# Max number of leaves to process per batch (default 1000)
+#--batch_size int
+
+# Fraction of merkle keyspace to dequeue from, set to zero to disable. (default 0.75)
+#--cloudspanner_dequeue_bucket_fraction float
+
+# Interval betweek pinging sessions.
+#--cloudspanner_healthcheck_interval duration
+
+# Max concurrent create session requests.
+#--cloudspanner_max_burst_sessions uint
+
+# Max idle sessions.
+#--cloudspanner_max_idle_sessions uint
+
+# Max open sessions.
+#--cloudspanner_max_open_sessions uint
+
+# Min open sessions.
+#--cloudspanner_min_open_sessions uint
+
+# Number of gRPC channels to use to talk to CloudSpanner.
+#--cloudspanner_num_channels int
+
+# Number of health check workers for Spanner session pool.
+#--cloudspanner_num_healthcheckers int
+
+# How far in the past to perform readonly operations. Within limits, raising this should help to increase performance/reduce latency. (default 1m0s)
+#--cloudspanner_readonly_staleness duration
+
+# determines whether the session pool will keep track of the stacktrace of the goroutines that take sessions from the pool.
+#--cloudspanner_track_session_handles
+
+# Connection URI for CloudSpanner database
+#--cloudspanner_uri string
+
+# Fraction of write capable sessions to maintain.
+#--cloudspanner_write_sessions float
+
+# Config file containing flags, file contents can be overridden by command line flags
+#--config string
+
+# If set, write CPU profile to this file
+#--cpuprofile string
+
+# Service name to announce our HTTP endpoint under (default "trillian-logsigner-http")
+#--etcd_http_service string
+
+# A comma-separated list of etcd servers; no etcd registration if empty
+#--etcd_servers string
+
+# If true, assume master for all logs
+#--force_master
+
+# Timeout used during healthz checks (default 5s)
+#--healthz_timeout duration
+
+# Endpoint for HTTP (host:port, empty means disabled) (default "localhost:8091")
+#--http_endpoint string
+
+# etcd lock file directory path (default "/test/multimaster")
+#--lock_file_path string
+
+# when logging hits line file:N, emit a stack trace
+#--log_backtrace_at value
+
+# If non-empty, write log files in this directory
+#--log_dir string
+
+# log to standard error instead of files
+#--logtostderr
+
+# Minimum interval to hold mastership for (default 1m0s)
+#--master_hold_interval duration
+
+# Maximal random addition to --master_hold_interval (default 2m0s)
+#--master_hold_jitter duration
+
+# Max number of unsequenced rows before rate limiting kicks in. Only effective for quota_system=mysql. (default 500000)
+#--max_unsequenced_rows int
+
+# If set, write memory profile to this file
+#--memprofile string
+
+# Maximum connections to the database
+#--mysql_max_conns int
+
+# Maximum idle database connections in the connection pool (default -1)
+#--mysql_max_idle_conns int
+
+# Connection URI for MySQL database (default "test:zaphod@tcp(127.0.0.1:3306)/test")
+#--mysql_uri string
+
+# Number of sequencer workers to run in parallel (default 10)
+#--num_sequencers int
+
+# Max number of concurrent workers concurrently populating subtrees (default 256)
+#--populate_subtree_concurrency int
+
+# Maximum time to wait before starting elections (default 1s)
+#--pre_election_pause duration
+
+# Increase factor for tokens replenished by sequencing-based quotas (1 means a 1:1 relationship between sequenced leaves and replenished tokens).Only effective for --quota_system=etcd. (default 1.1)
+#--quota_increase_factor float
+
+# Max number of quota specs in the quota cache. Zero or lower means batching is disabled. Applicable for etcd quotas. (default 1000)
+#--quota_max_cache_entries int
+
+# Minimum number of tokens to request from the quota system. Zero or lower means batching is disabled. Applicable for etcd quotas. (default 100)
+#--quota_min_batch_size int
+
+# Quota system to use. One of: [noop etcd mysql] (default "mysql")
+#--quota_system string
+
+# Endpoint for RPC requests (host:port) (default "localhost:8090")
+#--rpc_endpoint string
+
+# If set, the time elapsed before submitted leaves are eligible for sequencing
+#--sequencer_guard_window duration
+
+# Time between each sequencing pass through all logs (default 100ms)
+#--sequencer_interval duration
+
+# logs at or above this threshold go to stderr
+#--stderrthreshold value
+
+# Storage system to use. One of: [cloud_spanner mysql] (default "mysql")
+#--storage_system string
+
+# Path to the TLS server certificate. If unset, the server will use unsecured connections.
+#--tls_cert_file string
+
+# Path to the TLS server key. If unset, the server will use unsecured connections.
+#--tls_key_file string
+
+# log level for V logs
+#--v value
+
+# comma-separated list of pattern=N settings for file-filtered logging
+#--vmodule value
diff --git a/security/trillian/files/trillian_log_signer.in b/security/trillian/files/trillian_log_signer.in
new file mode 100644
index 000000000000..065f35e6badb
--- /dev/null
+++ b/security/trillian/files/trillian_log_signer.in
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: trillian_log_signer
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# trillian_log_signer_enable (bool):	Set it to YES to enable trillian_log_signer.
+#			Default is "NO".
+# trillian_log_signer_user (user):	Set user to run trillian_log_signer.
+#			Default is "trillian".
+# trillian_log_signer_group (group):	Set group to run trillian_log_signer.
+#			Default is "trillian".
+# trillian_log_signer_config (file):	Set trillian_log_signer config file.
+#			Default is "%%PREFIX%%/etc/trillian/trillian_log_signer.conf".
+
+. /etc/rc.subr
+
+name=trillian_log_signer
+rcvar=trillian_log_signer_enable
+
+load_rc_config $name
+
+: ${trillian_log_signer_enable:="NO"}
+: ${trillian_log_signer_user:="trillian"}
+: ${trillian_log_signer_group:="trillian"}
+: ${trillian_log_signer_config:="%%PREFIX%%/etc/trillian/trillian_log_signer.conf"}
+
+pidfile=/var/run/trillian_log_signer.pid
+procname="%%PREFIX%%/bin/trillian_log_signer"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} -p ${pidfile} ${procname} signer -config=${trillian_log_signer_config}"
+
+start_precmd=trillian_log_signer_startprecmd
+required_files="$trillian_log_signer_config"
+
+trillian_log_signer_startprecmd()
+{
+        if [ ! -e ${pidfile} ]; then
+                install -o ${trillian_log_signer_user} -g ${trillian_log_signer_group} /dev/null ${pidfile};
+        fi
+}
+
+run_rc_command "$1"