[packages/anubis-webfw] Initial

Wed May 6 01:19:58 CEST 2026

commit 0054f20cc7093fd3608d48a9c0ede72353e6008e
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed May 6 01:19:41 2026 +0200

    Initial

 anubis-webfw.init      | 112 ++++++++++++++++++++++++++++++++++++++++
 anubis-webfw.logrotate |  10 ++++
 anubis-webfw.service   |  33 ++++++++++++
 anubis-webfw.spec      | 137 +++++++++++++++++++++++++++++++++++++++++++++++++
 anubis-webfw.sysconfig |  50 ++++++++++++++++++
 5 files changed, 342 insertions(+)
---

diff --git a/anubis-webfw.spec b/anubis-webfw.spec
new file mode 100644
index 0000000..38cc1a1
--- /dev/null
+++ b/anubis-webfw.spec
@@ -0,0 +1,137 @@
+#
+# Conditional build:
+%bcond_with	tests		# run upstream tests during build
+
+Summary:	Anubis web AI firewall - proof-of-work bot blocker
+Summary(pl.UTF-8):	Anubis - zapora przeciwko botom AI z wyzwaniem proof-of-work
+Name:		anubis-webfw
+Version:	1.25.0
+Release:	1
+License:	MIT
+Group:		Networking/Daemons/HTTP
+#Source0Download: https://github.com/TecharoHQ/anubis/releases
+Source0:	https://github.com/TecharoHQ/anubis/releases/download/v%{version}/anubis-src-vendor-npm-%{version}.tar.gz
+# Source0-md5:	e0f17ebee4f7ae72c9581a87f67ddf72
+Source1:	%{name}.init
+Source2:	%{name}.sysconfig
+Source3:	%{name}.service
+Source4:	%{name}.logrotate
+URL:		https://anubis.techaro.lol/
+BuildRequires:	golang >= 1.24.2
+BuildRequires:	rpm-build >= 4.6
+BuildRequires:	rpmbuild(macros) >= 2.009
+BuildRequires:	tar >= 1:1.22
+BuildRequires:	xz
+Requires(post,preun):	/sbin/chkconfig
+Requires(post,preun,postun):	systemd-units >= 38
+Requires(postun):	/usr/sbin/groupdel
+Requires(postun):	/usr/sbin/userdel
+Requires(pre):	/bin/id
+Requires(pre):	/usr/bin/getgid
+Requires(pre):	/usr/sbin/groupadd
+Requires(pre):	/usr/sbin/useradd
+Requires:	rc-scripts
+Requires:	systemd-units >= 0.38
+Provides:	group(anubis)
+Provides:	user(anubis)
+ExclusiveArch:	%go_arches
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%undefine	_debugsource_packages
+
+%description
+Anubis is a Web AI Firewall Utility that weighs the soul of your
+connection using one or more challenges to protect upstream resources
+from scraper bots. By default Anubis presents a SHA-256 proof-of-work
+challenge to clients, which discourages high-volume automated traffic
+without inconveniencing real users.
+
+This package installs the anubis daemon, the robots2policy helper for
+converting robots.txt into Anubis bot policies, and the iplist2rule
+helper for turning IP blocklists into Anubis rules.
+
+%description -l pl.UTF-8
+Anubis to webowa zapora chroniąca przed botami AI: stawia każdemu
+łączącemu się klientowi jedno lub więcej wyzwań kryptograficznych
+(domyślnie proof-of-work SHA-256), aby blokować masowy ruch automatyczny
+przy minimalnej uciążliwości dla zwykłych użytkowników.
+
+Pakiet zawiera demona anubis oraz narzędzia robots2policy (konwersja
+robots.txt na polityki bota Anubis) i iplist2rule (konwersja list IP
+na reguły Anubis).
+
+%prep
+%setup -q -n anubis-src-vendor-npm-%{version}
+
+%{__mkdir_p} .go-cache target
+
+%build
+LDFLAGS="-X 'github.com/TecharoHQ/anubis.Version=v%{version}'"
+
+%__go build -v -mod=vendor -ldflags "$LDFLAGS" -o target/anubis ./cmd/anubis
+%__go build -v -mod=vendor -ldflags "$LDFLAGS" -o target/robots2policy ./cmd/robots2policy
+%__go build -v -mod=vendor -ldflags "$LDFLAGS" -o target/iplist2rule ./utils/cmd/iplist2rule
+
+%if %{with tests}
+%__go test -mod=vendor ./...
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{%{_bindir},%{_sysconfdir}/{anubis-webfw,logrotate.d},/etc/{rc.d/init.d,sysconfig},%{systemdunitdir},%{_datadir}/anubis-webfw,/var/log}
+
+install -p target/anubis		$RPM_BUILD_ROOT%{_bindir}/anubis
+install -p target/robots2policy	$RPM_BUILD_ROOT%{_bindir}/anubis-robots2policy
+install -p target/iplist2rule		$RPM_BUILD_ROOT%{_bindir}/anubis-iplist2rule
+
+install -p %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/anubis-webfw
+cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/anubis-webfw
+cp -p %{SOURCE3} $RPM_BUILD_ROOT%{systemdunitdir}/anubis-webfw.service
+cp -p %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/anubis-webfw
+: > $RPM_BUILD_ROOT/var/log/anubis-webfw.log
+
+# Ship sample botPolicies and the bundled data tree as documentation;
+# admins can copy and reference snippets from /usr/share/anubis-webfw/data.
+cp -pr data $RPM_BUILD_ROOT%{_datadir}/anubis-webfw/data
+cp -p data/botPolicies.yaml $RPM_BUILD_ROOT%{_sysconfdir}/anubis-webfw/botPolicies.yaml
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+%groupadd -g 360 anubis
+%useradd -u 360 -d /var/lib/anubis -s /bin/false -g anubis -c "Anubis web firewall" anubis
+
+%post
+/sbin/chkconfig --add anubis-webfw
+%service anubis-webfw restart
+%systemd_post anubis-webfw.service
+
+%preun
+if [ "$1" = "0" ]; then
+	%service -q anubis-webfw stop
+	/sbin/chkconfig --del anubis-webfw
+fi
+%systemd_preun anubis-webfw.service
+
+%postun
+if [ "$1" = "0" ]; then
+	%userremove anubis
+	%groupremove anubis
+fi
+%systemd_reload
+
+%files
+%defattr(644,root,root,755)
+%doc LICENSE README.md SECURITY.md CONTRIBUTING.md
+%attr(754,root,root) /etc/rc.d/init.d/anubis-webfw
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/anubis-webfw
+%dir %{_sysconfdir}/anubis-webfw
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/anubis-webfw/botPolicies.yaml
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/logrotate.d/anubis-webfw
+%attr(755,root,root) %{_bindir}/anubis
+%attr(755,root,root) %{_bindir}/anubis-robots2policy
+%attr(755,root,root) %{_bindir}/anubis-iplist2rule
+%{systemdunitdir}/anubis-webfw.service
+%{_datadir}/anubis-webfw
+%attr(640,anubis,anubis) %ghost /var/log/anubis-webfw.log
diff --git a/anubis-webfw.init b/anubis-webfw.init
new file mode 100644
index 0000000..0098569
--- /dev/null
+++ b/anubis-webfw.init
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# anubis-webfw	Anubis web AI firewall (proof-of-work bot blocker)
+#
+# chkconfig:	345 80 20
+# description:	Anubis is a web AI firewall utility that weighs the soul of \
+#		your connection using one or more challenges to protect \
+#		upstream resources from scraper bots.
+# processname:	anubis
+# config:	/etc/sysconfig/anubis-webfw
+# pidfile:	/var/run/anubis-webfw.pid
+
+# Source function library
+. /etc/rc.d/init.d/functions
+
+# Get network config
+. /etc/sysconfig/network
+
+# Defaults; any of these (LOGFILE, OPTIONS, ...) can be overridden in
+# /etc/sysconfig/anubis-webfw which is sourced below.
+SERVICE=anubis-webfw
+LOCKFILE=/var/lock/subsys/$SERVICE
+PIDFILE=/var/run/$SERVICE.pid
+LOGFILE=/var/log/$SERVICE.log
+PROG=/usr/bin/anubis
+
+# Get service config; KEY=VALUE format, exported into the daemon's environment.
+if [ -f /etc/sysconfig/anubis-webfw ]; then
+	set -a
+	. /etc/sysconfig/anubis-webfw
+	set +a
+fi
+
+# Check that networking is up
+if is_yes "${NETWORKING}"; then
+	if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then
+		msg_network_down "Anubis"
+		exit 1
+	fi
+else
+	exit 0
+fi
+
+start() {
+	if [ -f "$LOCKFILE" ]; then
+		msg_already_running "Anubis"
+		return
+	fi
+	msg_starting "Anubis"
+	: > "$PIDFILE"
+	chown anubis:anubis "$PIDFILE"
+	chmod 644 "$PIDFILE"
+	# Use start-stop-daemon directly. PLD's daemon() routes through initlog,
+	# which re-parses the command and mangles the sh -c quoting required for
+	# the stderr redirection below.
+	/sbin/start-stop-daemon --start --quiet --background \
+		--make-pidfile --pidfile "$PIDFILE" \
+		--chuid anubis \
+		--startas /bin/sh -- \
+		-c "exec $PROG $OPTIONS >>$LOGFILE 2>&1" && ok || fail
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+}
+
+stop() {
+	if [ ! -f "$LOCKFILE" ]; then
+		msg_not_running "Anubis"
+		return
+	fi
+	msg_stopping "Anubis"
+	killproc --pidfile "$PIDFILE" anubis
+	rm -f "$LOCKFILE" "$PIDFILE" >/dev/null 2>&1
+}
+
+condrestart() {
+	if [ -f "$LOCKFILE" ]; then
+		stop
+		start
+	else
+		msg_not_running "Anubis"
+		RETVAL=$1
+	fi
+}
+
+RETVAL=0
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	stop
+	start
+	;;
+  try-restart)
+	condrestart 0
+	;;
+  force-reload)
+	condrestart 7
+	;;
+  status)
+	status --pidfile "$PIDFILE" anubis
+	exit $?
+	;;
+  *)
+	msg_usage "$0 {start|stop|restart|try-restart|force-reload|status}"
+	exit 3
+esac
+
+exit $RETVAL
diff --git a/anubis-webfw.logrotate b/anubis-webfw.logrotate
new file mode 100644
index 0000000..d3adcf1
--- /dev/null
+++ b/anubis-webfw.logrotate
@@ -0,0 +1,10 @@
+/var/log/anubis-webfw.log {
+	weekly
+	missingok
+	notifempty
+	compress
+	delaycompress
+	rotate 12
+	copytruncate
+	create 640 anubis anubis
+}
diff --git a/anubis-webfw.service b/anubis-webfw.service
new file mode 100644
index 0000000..9db1960
--- /dev/null
+++ b/anubis-webfw.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Anubis web AI firewall (proof-of-work bot blocker)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=anubis
+Group=anubis
+EnvironmentFile=/etc/sysconfig/anubis-webfw
+ExecStart=/usr/bin/anubis $OPTIONS
+Restart=on-failure
+RestartSec=5s
+LimitNOFILE=65536
+RuntimeDirectory=anubis
+RuntimeDirectoryMode=0755
+StateDirectory=anubis
+StateDirectoryMode=0755
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target
diff --git a/anubis-webfw.sysconfig b/anubis-webfw.sysconfig
new file mode 100644
index 0000000..aca51f3
--- /dev/null
+++ b/anubis-webfw.sysconfig
@@ -0,0 +1,50 @@
+# Configuration for the Anubis web AI firewall.
+#
+# This file is read both by systemd (EnvironmentFile=) and by the sysv init
+# script. Use plain KEY=VALUE syntax only - no shell expansion, quoting only
+# around values that need it. Comments start with '#'.
+#
+# Variable names map to anubis(1) command-line flags via the flagenv
+# convention (BIND -> --bind, TARGET -> --target, etc). See:
+#   https://anubis.techaro.lol/docs/admin/installation
+#   https://github.com/TecharoHQ/anubis
+
+# The upstream service to forward valid (non-bot) requests to.
+TARGET=http://localhost:3923
+
+# Address Anubis listens on for incoming HTTP traffic.
+BIND=:8923
+
+# Address that exposes Prometheus metrics.
+METRICS_BIND=:9090
+
+# Difficulty (number of leading zeroes) of the proof-of-work challenge.
+DIFFICULTY=4
+
+# Whether Anubis serves /robots.txt (1 to enable).
+SERVE_ROBOTS_TXT=0
+
+# Path to a custom bot policy file. The package ships an example at
+# /etc/anubis-webfw/botPolicies.yaml. Leave unset to use the built-in policy.
+#POLICY_FNAME=/etc/anubis-webfw/botPolicies.yaml
+
+# Hex-encoded ed25519 private key used to sign challenge cookies.
+# Generate with:  openssl rand -hex 32
+# If left empty, anubis generates a random key per process start, which
+# invalidates client cookies on every restart.
+ED25519_PRIVATE_KEY_HEX=
+
+# Cookie domain (defaults to the request host).
+#COOKIE_DOMAIN=
+
+# Pass through Open Graph metadata from the upstream (1 to enable).
+#OG_PASSTHROUGH=0
+
+# Extra command-line options passed verbatim to /usr/bin/anubis. Used by
+# the systemd unit and the sysv init script.
+OPTIONS=
+
+# Path to the log file. Used only by the sysv init script (systemd sends
+# stderr to journald). Default: /var/log/anubis-webfw.log. If you change
+# this, also adjust /etc/logrotate.d/anubis-webfw accordingly.
+#LOGFILE=/var/log/anubis-webfw.log
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/anubis-webfw.git/commitdiff/0054f20cc7093fd3608d48a9c0ede72353e6008e

