15 files changed, 153 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index e07d492..6a24745 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2021-07-03 Vlad Glagolev <stealth@sourcemage.org>
+	* bin-security/boundary-bin: new spell, network resources access
+	  controller
+	* accounts, groups: added account data for boundary-bin spell
+
 2021-07-02 Vlad Glagolev <stealth@sourcemage.org>
 	* bin-utils/packer-bin: new spell, tool for building machine images
 	* bin-utils/envconsul-bin: new spell, start subprocess with envvar
diff --git a/accounts b/accounts
index 63f1bbd..e9c98d0 100755
--- a/accounts
+++ b/accounts
@@ -8,3 +8,4 @@ tomcat7:40:35
 consul:217:217
 consul-template:218:218
 vault:219:219
+boundary:220:220
diff --git a/bin-security/boundary-bin/BUILD b/bin-security/boundary-bin/BUILD
new file mode 100755
index 0000000..5d7a564
--- /dev/null
+++ b/bin-security/boundary-bin/BUILD
@@ -0,0 +1 @@
+create_account boundary
diff --git a/bin-security/boundary-bin/DEPENDS b/bin-security/boundary-bin/DEPENDS
new file mode 100755
index 0000000..ec62c6d
--- /dev/null
+++ b/bin-security/boundary-bin/DEPENDS
@@ -0,0 +1,3 @@
+depends unzip &&
+# for syslog logging
+depends util-linux
diff --git a/bin-security/boundary-bin/DETAILS b/bin-security/boundary-bin/DETAILS
new file mode 100755
index 0000000..f172344
--- /dev/null
+++ b/bin-security/boundary-bin/DETAILS
@@ -0,0 +1,38 @@
+           SPELL=boundary-bin
+          SPELLX=${SPELL/-bin/}
+         VERSION=0.4.0
+if [[ "${SMGL_COMPAT_ARCHS[1]}" == "x86_64" || "${SMGL_COMPAT_ARCHS[1]}" == "em64t" ]]; then
+            ARCH=amd64
+     SOURCE_HASH=sha256:3a7242a9d9e577af7ec023b53713599e2b9d24d68a0b06b12ddd7d297fe909c2:UPSTREAM_HASH
+else
+            ARCH=386
+     SOURCE_HASH=sha256:a41e343b44dfe8e991ca2250dd5c8b2d04f5652ebfe812d149751c3fe9e532eb:UPSTREAM_HASH
+fi
+          SOURCE=${SPELLX}_${VERSION}_linux_${ARCH}.zip
+   SOURCE_URL[0]=https://releases.hashicorp.com/${SPELLX}/${VERSION}/${SOURCE}
+SOURCE_DIRECTORY="${BUILD_DIRECTORY}/${SPELL}-${VERSION}"
+     GATHER_DOCS=off
+        WEB_SITE=https://www.boundaryproject.io/
+         ENTERED=20210703
+      LICENSE[0]=MPL
+           SHORT="network resources access controller"
+cat << EOF
+Boundary provides simple and secure access to hosts and services.
+
+Traditional approaches like SSH bastion hosts or VPNs require distributing and
+managing credentials, configuring network controls like firewalls, and
+exposing the private network. Boundary provides a secure way to access hosts
+and critical systems without having to manage credentials or expose your
+network, and is entirely open source.
+
+Boundary is designed to be straightforward to understand, highly scalable, and
+resilient. It can run in clouds, on-prem, secure enclaves and more, and does
+not require an agent to be installed on every end host.
+
+Unlike firewalls, Boundary performs per-access authentication and
+authorization checks, allowing for much higher level mappings of users to
+services or hosts than at network layers. Although complementary to secrets
+managers (like HashiCorp's own Vault), Boundary fills a different niche,
+allowing the credential that is eventually used to be hidden entirely from the
+user.
+EOF
diff --git a/bin-security/boundary-bin/FINAL b/bin-security/boundary-bin/FINAL
new file mode 100755
index 0000000..1571059
--- /dev/null
+++ b/bin-security/boundary-bin/FINAL
@@ -0,0 +1,4 @@
+# binaries require /lib64
+if [ ! -d "${INSTALL_ROOT}/lib64" ]; then
+  ln -vsf "${TRACK_ROOT}/lib" "${INSTALL_ROOT}/lib64"
+fi
diff --git a/bin-security/boundary-bin/HISTORY b/bin-security/boundary-bin/HISTORY
new file mode 100644
index 0000000..95c9c11
--- /dev/null
+++ b/bin-security/boundary-bin/HISTORY
@@ -0,0 +1,3 @@
+2021-07-03 Vlad Glagolev <stealth@sourcemage.org>
+	* DETAILS, DEPENDS, {PRE_,}BUILD, INSTALL, init.d, files: created
+	  spell, version 0.4.0
diff --git a/bin-security/boundary-bin/INSTALL b/bin-security/boundary-bin/INSTALL
new file mode 100755
index 0000000..76d4deb
--- /dev/null
+++ b/bin-security/boundary-bin/INSTALL
@@ -0,0 +1,17 @@
+# /usr/bin is handled by smgl-fhs
+install -vm 755 boundary "${INSTALL_ROOT}/usr/bin" &&
+
+local config_dir="${INSTALL_ROOT}/etc/${SPELLX}" &&
+
+if [ ! -d "${config_dir}" ]; then
+  install -vm 750 -o root -g boundary -d "${config_dir}"
+fi &&
+
+install_config_file "${SPELL_DIRECTORY}/files/controller.hcl" \
+                    "${config_dir}/controller.hcl" &&
+
+install_config_file "${SPELL_DIRECTORY}/files/worker.hcl" \
+                    "${config_dir}/worker.hcl" &&
+
+chown root:boundary "${config_dir}/"*.hcl &&
+chmod 0640 "${config_dir}/"*.hcl
diff --git a/bin-security/boundary-bin/PRE_BUILD b/bin-security/boundary-bin/PRE_BUILD
new file mode 100755
index 0000000..5416781
--- /dev/null
+++ b/bin-security/boundary-bin/PRE_BUILD
@@ -0,0 +1,4 @@
+mk_source_dir "${SOURCE_DIRECTORY}" &&
+cd "${SOURCE_DIRECTORY}" &&
+
+unpack_file ''
diff --git a/bin-security/boundary-bin/files/controller.hcl b/bin-security/boundary-bin/files/controller.hcl
new file mode 100644
index 0000000..f8435c7
--- /dev/null
+++ b/bin-security/boundary-bin/files/controller.hcl
@@ -0,0 +1,8 @@
+controller {
+  name = "example-controller"
+  description = "An example controller"
+  database {
+    url = "postgresql://<username>:<password>@10.0.0.1:5432/<database_name>"
+    max_open_connections = 2
+  }
+}
diff --git a/bin-security/boundary-bin/files/worker.hcl b/bin-security/boundary-bin/files/worker.hcl
new file mode 100644
index 0000000..4447d4a
--- /dev/null
+++ b/bin-security/boundary-bin/files/worker.hcl
@@ -0,0 +1,5 @@
+worker {
+  name = "example-worker"
+  description = "An example worker"
+  public_addr = "5.1.23.198"
+}
diff --git a/bin-security/boundary-bin/init.d/boundary-controller b/bin-security/boundary-bin/init.d/boundary-controller
new file mode 100755
index 0000000..1c37267
--- /dev/null
+++ b/bin-security/boundary-bin/init.d/boundary-controller
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+. /etc/sysconfig/boundary
+
+PROGRAM=/usr/bin/boundary
+ARGS="server -config=/etc/boundary/controller.hcl $BOUNDARY_CONTROLLER_ARGS"
+RUNLEVEL=3
+NEEDS="+network"
+
+start() {
+  echo "Starting $NAME..."
+
+  TIMEOUT=3
+
+  su boundary -s /bin/sh -c "set -o pipefail; $PROGRAM $ARGS 2>&1 | logger -ip daemon.info -t boundary-controller" &
+  ppid=$!
+
+  sleep $TIMEOUT && pgrep -P $ppid > /dev/null || wait $ppid
+
+  evaluate_retval
+}
+
+stop() {
+  echo "Stopping $NAME..."
+
+  killproc "boundary server -config=/etc/boundary/controller.hcl" SIGINT
+}
+
+. /etc/init.d/smgl_init
diff --git a/bin-security/boundary-bin/init.d/boundary-worker b/bin-security/boundary-bin/init.d/boundary-worker
new file mode 100755
index 0000000..e4d3225
--- /dev/null
+++ b/bin-security/boundary-bin/init.d/boundary-worker
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+. /etc/sysconfig/boundary
+
+PROGRAM=/usr/bin/boundary
+ARGS="server -config=/etc/boundary/worker.hcl $BOUNDARY_WORKER_ARGS"
+RUNLEVEL=3
+NEEDS="+network"
+
+start() {
+  echo "Starting $NAME..."
+
+  TIMEOUT=3
+
+  su boundary -s /bin/sh -c "set -o pipefail; $PROGRAM $ARGS 2>&1 | logger -ip daemon.info -t boundary-worker" &
+  ppid=$!
+
+  sleep $TIMEOUT && pgrep -P $ppid > /dev/null || wait $ppid
+
+  evaluate_retval
+}
+
+stop() {
+  echo "Stopping $NAME..."
+
+  killproc "boundary server -config=/etc/boundary/worker.hcl" SIGINT
+}
+
+. /etc/init.d/smgl_init
diff --git a/bin-security/boundary-bin/init.d/boundary.conf b/bin-security/boundary-bin/init.d/boundary.conf
new file mode 100644
index 0000000..4d58d5c
--- /dev/null
+++ b/bin-security/boundary-bin/init.d/boundary.conf
@@ -0,0 +1,5 @@
+# For the arguments and description see ``boundary server --help''
+
+BOUNDARY_CONTROLLER_ARGS=""
+
+BOUNDARY_WORKER_ARGS=""
diff --git a/groups b/groups
index 6874ef3..7417606 100755
--- a/groups
+++ b/groups
@@ -5,3 +5,4 @@ ontopia:36:
 consul:217:
 consul-template:218:
 vault:219:
+boundary:220: