rsync-firmware

#!/bin/sh
# call rsync to mirror all firmwares from firmware.openbsd.org

# XXX broken, there is no firmware via rsync

set -eu

if [ $# != 0 ]
then
	echo usage: rsync-firmware >&2
	exit 2
fi

host="${host:=firmware.openbsd.org}"
bwlimit="${bwlimit:=3000}"
debug="${debug:=debug}"
rsyncoptions="--partial --delete --exclude .~tmp~ --exclude '.*'"
rsync="/usr/local/bin/rsync --bwlimit=$bwlimit $rsyncoptions"
tag="rsync-firmware[$$]"

logger -p daemon.info -t "$tag" "openbsd start"

# get everything that is not a snapshot, presumably a release

url="rsync://$host/firmware/firmware"
dir="/data/mirror/openbsd/firmware"
nosnap="--exclude snapshots"
eval $rsync $nosnap -av "$url" "$dir" | logger -p "daemon.$debug" -t rsync
logger -p daemon.notice -t "$tag" "openbsd release success"

# create a new directory with the old files hardlinked
# if the new directory is already there, use this partial download

url="rsync://$host/firmware/firmware/snapshots/"
dir="/data/mirror/openbsd/firmware/firmware/snapshots"
if ! [ -d "$dir.new" ]
then
	mkdir -p -- "$dir.new"
	if [ -d "$dir" ]
	then
		ln -- "$dir"/* "$dir.new"
	fi
fi
eval $rsync -av "$url" "$dir.new" | logger -p "daemon.$debug" -t rsync

# extract the signify key version from SHA256.sig

sig="$dir.new/SHA256.sig"
if ! [ -f "$sig" ]
then
	logger -p daemon.warning -s -t "$tag" "openbsd $dir.new no SHA256.sig"
	exit 1
fi
key="/etc/signify/`sed -n 's/^untrusted comment: verify with //p' $sig`"
logger -p daemon.info -t "$tag" "openbsd signify key $key"

# verify the signature of the new downloaded files

if ! ( cd "$dir.new" && signify -C -p "$key" -x SHA256.sig )
then
	logger -p daemon.warning -s -t "$tag" "openbsd $dir fail"
else
	# replace the old files with the verfied new ones
	if [ -d "$dir" ]
	then
		mv -- "$dir" "$dir.old"
	fi
	mv -- "$dir.new" "$dir"
	rm -rf -- "$dir.old"
	logger -p daemon.notice -t "$tag" "openbsd snapshot success"
fi | logger -p "daemon.$debug" -t signify

exit 0