security/openbao: New port: open source, community-driven fork of Vault

OpenBao exists to provide a software solution to manage, store, and
distribute sensitive data including secrets, certificates, and keys.
The OpenBao community intends to provide this software under an
OSI-approved open-source license, led by a community run under open
governance principles.

https://openbao.org
https://github.com/openbao/openbao

PR:	280619

GIDs

@@ -422,7 +422,7 @@ prometheus:*:478:
 alertmanager:*:479:
 datadog:*:480:
 promxy:*:481:
-# free: 482
+openbao:*:482:
 # free: 483
 # free: 484
 # free: 485

UIDs

@@ -427,7 +427,7 @@ prometheus:*:478:478::0:0:Prometheus Daemon:/var/tmp/prometheus:/usr/sbin/nologi
 alertmanager:*:479:479::0:0:Alertmanager Daemon:/var/tmp/alertmanager:/usr/sbin/nologin
 datadog:*:480:480::0:0:DataDog Agent:/var/db/datadog:/usr/sbin/nologin
 promxy:*:481:481::0:0:Promxy Daemon:/nonexistent:/usr/sbin/nologin
-# free: 482
+openbao:*:482:482:daemon:0:0:OpenBao Daemon:/nonexistent:/usr/sbin/nologin
 # free: 483
 # free: 484
 # free: 485

security/Makefile

@@ -427,6 +427,7 @@
     SUBDIR += olm
     SUBDIR += onionscan
     SUBDIR += op
+    SUBDIR += openbao
     SUBDIR += openbsm
     SUBDIR += openca-ocspd
     SUBDIR += openconnect

security/openbao/Makefile

@@ -0,0 +1,43 @@
+PORTNAME=	openbao
+DISTVERSIONPREFIX=	v
+DISTVERSION=	2.0.1
+CATEGORIES=	security
+MASTER_SITES+=	https://raw.githubusercontent.com/${PORTNAME}/${PORTNAME}/${DISTVERSIONFULL}/
+DISTFILES=	go.mod \
+		api/go.mod \
+		api/auth/approle/go.mod \
+		api/auth/kubernetes/go.mod \
+		api/auth/userpass/go.mod \
+		sdk/go.mod
+
+MAINTAINER=	jake@metalrip.com
+COMMENT=	Tool for securely accessing secrets
+WWW=		https://openbao.org/
+
+LICENSE=	MPL20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		go:1.22,modules
+USE_GITHUB=	yes
+USE_RC_SUBR=	${PORTNAME}
+
+GO_MODULE=	github.com/${PORTNAME}/${PORTNAME}
+GO_TARGET=	:${BIN_NAME}
+GO_BUILDFLAGS=	-ldflags="-s \
+		-X ${GO_MODULE}/version.GitCommit=${GITID} \
+		-X ${GO_MODULE}/version.BuildDate=${SOURCE_DATE_EPOCH} \
+		-X ${GO_MODULE}/version.fullVersion=${DISTVERSION}"
+
+SUB_FILES=	pkg-message
+SUB_LIST=	USER=${USERS} GROUP=${GROUPS}
+USERS=		${PORTNAME}
+GROUPS=		${PORTNAME}
+
+PLIST_FILES=	bin/${BIN_NAME}
+
+BIN_NAME=		bao
+GITID=			700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3
+SOURCE_DATE_EPOCH=	${TIMEEPOCHNOW:gmtime}
+TIMEEPOCHNOW=		%Y-%m-%dT%H:%M:%SZ
+
+.include <bsd.port.mk>

security/openbao/distinfo

@@ -0,0 +1,15 @@
+TIMESTAMP = 1726704320
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 07afdd23371122e726777b23ce81437992633589629dcaadc173109f58ba5e98
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 18131
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = aae819cfafff9f54e6e58983b0277797a4744df72f7db2e3d81ffac32ce960b6
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = 1525
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 37d743ea994960230616092168903b7e806607fbda94757b28d646be105bee4c
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 182
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = cf1312fefbf43849805eb13b283556f500f246635c4f39f459908d854dacf41a
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = 185
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 41994758ed7b2ba521e641b3ea77a46371e748ce675fffd39ed1b87eb64342ec
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 183
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = df45cdcb8dd0c366f9b49ed401f2a9087a28f8d25fdef627d0998dfca0449eda
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = 4653
+SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 820f9dcc1a42982dbdb87fefceb714e2a9600f5aeeeafcf1ea2509c774d1a42f
+SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 15762632

security/openbao/files/openbao.in

@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# PROVIDE: openbao
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# openbao_enable (bool):		Set it to YES to enable openbao.
+#					Default is "NO".
+# openbao_user (user):			Set user to run openbao.
+#					Default is "%%USER%%".
+# openbao_group (group):		Set group to run openbao.
+#					Default is "%%GROUP%%".
+# openbao_config (file):		Set openbao config file.
+#					Default is "%%PREFIX%%/etc/openbao.hcl".
+# openbao_syslog_output_enable (bool):	Set to enable syslog output.
+#					Default is "NO". See daemon(8).
+# openbao_syslog_output_priority (str):	Set syslog priority if syslog enabled.
+#					Default is "info". See daemon(8).
+# openbao_syslog_output_facility (str):	Set syslog facility if syslog enabled.
+#					Default is "daemon". See daemon(8).
+# openbao_limits_mlock (size):		Allowed memorylocked value in size.
+#					Default is 1024M.
+
+. /etc/rc.subr
+
+name=openbao
+rcvar=openbao_enable
+
+load_rc_config $name
+
+: ${openbao_enable:="NO"}
+: ${openbao_user:="%%USER%%"}
+: ${openbao_group:="%%GROUP%%"}
+: ${openbao_config:="%%PREFIX%%/etc/openbao.hcl"}
+: ${openbao_limits_mlock:="1024M"}
+: ${openbao_limits:="-l ${openbao_limits_mlock}"}
+
+DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?)
+if [ ${DAEMON} -eq 0 ]; then
+	: ${openbao_syslog_output_enable:="NO"}
+	: ${openbao_syslog_output_priority:="info"}
+	: ${openbao_syslog_output_facility:="daemon"}
+	if checkyesno openbao_syslog_output_enable; then
+		openbao_syslog_output_flags="-T ${name}"
+
+		if [ -n "${openbao_syslog_output_priority}" ]; then
+			openbao_syslog_output_flags="${openbao_syslog_output_flags} -s ${openbao_syslog_output_priority}"
+		fi
+
+		if [ -n "${openbao_syslog_output_facility}" ]; then
+			openbao_syslog_output_flags="${openbao_syslog_output_flags} -l ${openbao_syslog_output_facility}"
+		fi
+	fi
+else
+	openbao_syslog_output_enable="NO"
+	openbao_syslog_output_flags=""
+fi
+
+pidfile=/var/run/openbao.pid
+procname="%%PREFIX%%/bin/bao"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} ${openbao_syslog_output_flags} -p ${pidfile} /usr/bin/env ${openbao_env} ${procname} server -config=${openbao_config}"
+
+extra_commands="reload monitor"
+monitor_cmd=openbao_monitor
+start_precmd=openbao_startprecmd
+required_files="$openbao_config"
+
+openbao_monitor()
+{
+	sig_reload=USR1
+	run_rc_command "reload"
+}
+
+openbao_startprecmd()
+{
+	if [ ! -e ${pidfile} ]; then
+		install -o ${openbao_user} -g ${openbao_group} /dev/null ${pidfile};
+	fi
+
+	if [ ! -d ${openbao_dir} ]; then
+		install -d -o ${openbao_user} -g ${openbao_group} ${openbao_dir}
+	fi
+}
+
+run_rc_command "$1"

security/openbao/files/pkg-message.in

@@ -0,0 +1,25 @@
+[
+{ type: install
+  message: <<EOM
+The %%USER%% user created by the bao package is now a member of the daemon
+class, which will allow it to use mlock() when started by the rc script. This
+will not be reflected in systems where the user already exists. Please add the
+bao user to the daemon class manually by running:
+
+pw usermod -L daemon -n %%USER%%
+
+or delete the user and reinstall the package.
+
+You may also need to increase memorylocked for the daemon class in
+/etc/rc.conf to more than 1024M (the default) or more:
+
+openbao_limits_mlock="2048M"
+
+Or to disable mlock, add:
+
+disable_mlock = 1
+
+to %%PREFIX%%/etc/openbao.hcl
+EOM
+}
+]

security/openbao/pkg-descr

@@ -0,0 +1,4 @@
+OpenBao is a tool for securely accessing secrets. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, certificates,
+and more. OpenBao provides a unified interface to any secret, while providing
+tight access control and recording a detailed audit log.