Add the post-receive hook to the repository, for reference.

hooks/post-receive

@@ -0,0 +1,58 @@
+#!/usr/local/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+PFCTL="/sbin/pfctl"
+FIREWALL_DIR="/etc/firewall"
+TEMPFILE="$(/usr/bin/mktemp -t fw)"
+PFCONF_PATH="${FIREWALL_DIR}/pf.conf"
+PFCONF_PATH_TEMPLATE="${PFCONF_PATH}.in"
+CAT="/bin/cat"
+MV="/bin/mv"
+
+isok() {
+    if [[ $1 = 0 ]]; then
+        if [[ $# -gt 1 ]]; then
+            if [[ $2 = "-q" ]]; then
+                :
+            else
+                echo "Unexpected argument: ${2}"
+                exit 1
+            fi
+        else
+            echo "[ OK ]"
+        fi
+    else
+        rm ${TEMPFILE}
+        echo "[ FAIL ]"
+        exit $1
+    fi
+}
+
+echo -n "Checking out new firewall configuration to ${FIREWALL_DIR}... "
+GIT_WORK_TREE="${FIREWALL_DIR}" git checkout -f
+isok $?
+
+echo -n "Generating ${PFCONF_PATH}... "
+[[ -e ${PFCONF_PATH_TEMPLATE} ]]
+isok $? -q
+${CAT} "${PFCONF_PATH_TEMPLATE}" > ${TEMPFILE}
+isok $? -q
+for rulefile in /etc/firewall/rules.d/*; do
+    echo 'include "'${rulefile}'"' >> ${TEMPFILE}
+    isok $? -q
+done
+
+${MV} ${TEMPFILE} ${PFCONF_PATH}
+isok $?
+
+echo -n "Testing if new config is sane... "
+${PFCTL} -nf ${PFCONF_PATH}
+isok $?
+
+echo -n "Loading new config... "
+${PFCTL} -f ${PFCONF_PATH}
+isok $?
+