mgmt-users-base: Clean up, add comments, also check that paswords are required

1 files changed, 34 insertions, 9 deletions

diff --git a/config-parabola-mgmt-users-base.PKGBUILD b/config-parabola-mgmt-users-base.PKGBUILD
index 5059329..9237103 100644
--- a/config-parabola-mgmt-users-base.PKGBUILD
+++ b/config-parabola-mgmt-users-base.PKGBUILD
@@ -1,21 +1,46 @@
 . ${BUILDFILE%/*}/common.sh
-pkgver=20180826
+pkgver=20180827
 
 package() {
 preamble
 # #### users
 
+# `/etc/sudoers.d/00-wheel` gives sudo access to everyone in the
+# `wheel` group.
 install -d etc
 install -dm750 etc/sudoers.d
-add-file etc/sudoers.d/00-wheel <<EOF
-%wheel ALL=(ALL) ALL
-EOF
+add-file etc/sudoers.d/00-wheel <<-'EOF'
+	%wheel ALL=(ALL) ALL
+	EOF
 
-add-file etc/systemd/system/shadow.service.d/sort.conf <<EOF
-[Service]
-ExecStart=
-ExecStart=/bin/bash -c '/usr/bin/pwck -r && /usr/bin/pwck -s && /usr/bin/grpck -r && /usr/bin/grpck -s'
-EOF
+# The `shadow.service` has been extended to:
+#
+# - sort the files if they otherwise are ok. This makes dealing with
+#   pacman updates and such easier
+# - check that all users require a password, if login is enabled
+#
+# This could have been done in very long one-liner in `ExecStart=`,
+# but at some point it became easier to just move it to a real script
+# file.
+add-file etc/systemd/system/shadow.service.d/extra.conf <<-'EOF'
+	[Service]
+	ExecStart=
+	ExecStart=/etc/systemd/system/shadow
+	EOF
+add-file -m755 etc/systemd/system/shadow <<-'EOF'
+	#!/bin/sh
+	r=0
+	set -x
+
+	# Always run all checks, but fail the service if any fail
+	# Extra: Sort the files if the integrity checks pass
+	/usr/bin/pwck  -r && /usr/bin/pwck  -s || r=1
+	/usr/bin/grpck -r && /usr/bin/grpck -s || r=1
+	# Extra: Check that all users require a password, if login is enabled
+	/usr/bin/grep '^[^:]*::' /etc/passwd /etc/shadow && r=1
+
+	exit $r
+	EOF
 
 postamble
 }