Add knock-scripts and timeout-scripts to customize behavior

[mbuesch]

Suggested enhancement

Currently the only thing that can be done on successful knocking is opening a port in the firewall.

It could be useful to let the administrator decide to execute some additional commands from the letmeind.conf configuration file.

The script paths could be attached to the resource.

Pros

• This could be used to start services after successful knocking and stop services on lease timeouts.
• It can be used for everything else the administrator desires. E.g. setting up more advanced firewall rules or setting up and tearing down other things in the system.

Cons

• Systemd socket activation could also start a service.
• This approach probably is incompatible with running letmeinfwd under seccomp. We could fix this by letting the administrator specify additional syscall allowlists that the scripts need. Or alternatively this feature could require seccomp to be turned off for letmeinfwd. (The most security critical part letmeind would still run with seccomp)

Open questions

• Can systemd socket activation also stop the service after lease timeout?
• Would it be useful to let the administrator specify a specific unix-user to run the script as? (Change effective uid/gid before exec)

Resolved questions

none