Installing Tang on OPNsense
Installing Tang on OPNsense⌗
First, install the following packages that are available in the OPNsense repo to avoid building them from source:
pkg install gmake pkgconf ninja socat
Get the ports tree
opnsense-code ports
cd /usr/ports
I chose not to build manpages, after all, a2x is not required and it saves time by not pulling in all the asciidoc dependency chain, see:
- https://github.com/latchset/tang/blob/master/meson.build#L81
- https://github.com/latchset/jose/blob/master/meson.build#L66
This is the resulting patch:
diff --git a/net/jose/Makefile b/net/jose/Makefile
index 0b2b8a03ab2..87f9d5c94a2 100644
--- a/net/jose/Makefile
+++ b/net/jose/Makefile
@@ -8,7 +8,7 @@ COMMENT= Tools for JSON Object Signing and Encryption (JOSE)
LICENSE= APACHE20
LICENSE_FILE= ${WRKSRC}/COPYING
-BUILD_DEPENDS= a2x:textproc/asciidoc
+BUILD_DEPENDS=
LIB_DEPENDS= libjansson.so:devel/jansson
USES= compiler:c11 meson ninja pkgconfig ssl
diff --git a/net/jose/pkg-plist b/net/jose/pkg-plist
index 06ec7bf757e..38570a4eafe 100644
--- a/net/jose/pkg-plist
+++ b/net/jose/pkg-plist
@@ -3,23 +3,6 @@ lib/libjose.so
lib/libjose.so.0
lib/libjose.so.0.0.0
libdata/pkgconfig/jose.pc
-man/man1/jose-alg.1.gz
-man/man1/jose-b64-dec.1.gz
-man/man1/jose-b64-enc.1.gz
-man/man1/jose-fmt.1.gz
-man/man1/jose-jwe-dec.1.gz
-man/man1/jose-jwe-enc.1.gz
-man/man1/jose-jwe-fmt.1.gz
-man/man1/jose-jwk-eql.1.gz
-man/man1/jose-jwk-exc.1.gz
-man/man1/jose-jwk-gen.1.gz
-man/man1/jose-jwk-pub.1.gz
-man/man1/jose-jwk-thp.1.gz
-man/man1/jose-jwk-use.1.gz
-man/man1/jose-jws-fmt.1.gz
-man/man1/jose-jws-sig.1.gz
-man/man1/jose-jws-ver.1.gz
-man/man1/jose.1.gz
include/jose/b64.h
include/jose/cfg.h
include/jose/io.h
@@ -28,10 +11,3 @@ include/jose/jwe.h
include/jose/jwk.h
include/jose/jws.h
include/jose/openssl.h
-man/man3/jose_b64.3.gz
-man/man3/jose_cfg.3.gz
-man/man3/jose_io.3.gz
-man/man3/jose_io_t.3.gz
-man/man3/jose_jwe.3.gz
-man/man3/jose_jwk.3.gz
-man/man3/jose_jws.3.gz
diff --git a/security/tang/Makefile b/security/tang/Makefile
index d0fbf1e892d..f44c14d924e 100644
--- a/security/tang/Makefile
+++ b/security/tang/Makefile
@@ -13,8 +13,7 @@ LIB_DEPENDS= libhttp_parser.so:www/http-parser \
libjansson.so:devel/jansson \
libjose.so:net/jose
RUN_DEPENDS= socat:net/socat
-BUILD_DEPENDS= a2x:textproc/asciidoc \
- ${LOCALBASE}/libdata/pkgconfig/jose.pc:net/jose \
+BUILD_DEPENDS= ${LOCALBASE}/libdata/pkgconfig/jose.pc:net/jose \
socat:net/socat
USES= compiler:c11 meson pkgconfig tar:xz
diff --git a/security/tang/pkg-plist b/security/tang/pkg-plist
index c134d734bdd..0408c1963e0 100644
--- a/security/tang/pkg-plist
+++ b/security/tang/pkg-plist
@@ -1,7 +1,4 @@
libexec/tangd
-man/man1/tangd-rotate-keys.1.gz
-man/man1/tang-show-keys.1.gz
-man/man8/tang.8.gz
libexec/tangd-keygen
libexec/tangd-rotate-keys
bin/tang-show-keys
Just paste this snippet into a file and apply it using git:
git apply --stat file.patch
Then you can cd into security/tang and install tang:
cd security/tang
make install
After installing tangd, some packages and the ports tree can be removed, as they’re no longer needed:
pkg autoremove
pkg remove gmake pkgconf ninja
rm -rf /usr/ports
The default configuration uses localhost and a non-standard port (8888), edit /usr/local/etc/rc.d/tangd to suit your needs, I used the same port expected in a Linux installation as per:
sudo semanage port -l | grep tangd
tangd_port_t tcp 7406
and an IP address of the OPNsense LAN interface:
: ${tangd_ip="192.168.2.1"}
: ${tangd_port="7406"}
The service needs to be enabled and started after these changes have been made:
service taangd enable
service tangd start
service tangd status
tangd is running as pid 80293.
From the OPNsense device and any other system that will be using this Tang server, you should be able to get the advertisement:
curl -s http://192.168.2.1:7406/adv | jq
{
"payload": "eyJrZX...fVz9",
"protected": "eyJh...biS1",
"signature": "ALu7...30JR"
}
You can now proceed to enroll NBDE Clevis clients.