From 61ee522f18f99991b58d53c8e9d8ebb29b8dc991 Mon Sep 17 00:00:00 2001
From: Chris Wells <chriswells0@users.noreply.github.com>
Date: Sat, 23 May 2020 21:03:12 -0400
Subject: [PATCH] Add Bastillefile support to templates.

---
 README.md                            | 25 +++++++++++++++++
 usr/local/share/bastille/template.sh | 40 ++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/README.md b/README.md
index 51dd5914..257b9f23 100644
--- a/README.md
+++ b/README.md
@@ -696,6 +696,31 @@ The above example will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 
+For more control over the order of operations when applying a template,
+create a `Bastillefile` inside the base template directory. Each line in
+the file should begin with an uppercase reference to a Bastille command
+followed by its arguments (omitting the target, which is deduced from the
+`template` arguments). Lines beginning with `#` are treated as comments.
+
+Bastillefile example:
+
+```shell
+LIMITS memoryuse 1G
+
+# Install and start nginx.
+PKG nginx
+SYSRC nginx_enable=YES
+SERVICE nginx restart
+
+# Copy files to nginx.
+CP www/ usr/local/www/nginx-dist/
+
+# Create a file on the server containing the jail's hostname.
+CMD hostname > /usr/local/www/nginx-dist/hostname.txt
+
+# Forward TCP port 80 on the host to port 80 in the container.
+RDR tcp 80 80
+```
 
 Applying Templates
 ------------------
diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh
index 27997d29..9233e481 100644
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -92,6 +92,46 @@ for _jail in ${JAILS}; do
         fi
     fi
 
+    if [ -s "${bastille_template}/Bastillefile" ]; then
+        # Ignore blank lines and comments. -- cwells
+        SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#')
+        # Use a newline as the separator. -- cwells
+        IFS='
+'
+        set -f
+        for _line in ${SCRIPT}; do
+            _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
+            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}')
+
+            # Apply overrides for commands/aliases and arguments. -- cwells
+            case $_cmd in
+                cmd)
+                    # Allow redirection within the jail. -- cwells
+                    _args="sh -c '${_args}'"
+                    ;;
+                cp)
+                    # Convert relative "from" path into absolute path inside the template directory. -- cwells
+                    if [ "${_args%${_args#?}}" != '/' ]; then
+                        _args="${bastille_template}/${_args}"
+                    fi
+                    ;;
+                include)
+                    _cmd='template' ;;
+                pkg)
+                    _args="install -y ${_args}" ;;
+            esac
+
+            if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
+                echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}"
+                set +f
+                unset IFS
+                exit 1
+            fi
+        done
+        set +f
+        unset IFS
+    fi
+
     ## LIMITS (RCTL)
     if [ -s "${bastille_template}/LIMITS" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"