blob: bc8def828619184fe1c05223f2f52b47f4677a72 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
. ${BUILDFILE%/*}/common.sh
pkgver=20180910
package() {
preamble
# #### Parabola hackers
depends=(
parabola-hackers-nshd
openssh
sudo
config-parabola-mgmt-nshd-updater
)
# sshd is configured to force the use of keys (no password-based
# login), and to use [parabola-hackers][] `ssh-list-authorized-keys`
# in addition to checking `~/.ssh/authorized_keys`.
# `ssh-list-authorized-keys` returns the authorized keys from the
# [hackers.git][] checkout in `/var/lib/hackers-git` (the path to the
# checkout is configured in `/etc/parabola-hackers.yml`).
#
# [parabola-hackers]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers/
# [hackers.git]: https://git.parabola.nu/hackers.git/
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/ssh/sshd_config.holoscript <<EOF
#!/bin/sh
{
sed -e '/^#AuthorizedKeysCommand\s/ aAuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys' \\
-e '/^#AuthorizedKeysCommandUser\s/ aAuthorizedKeysCommandUser nshd' \\
-e '/^#PasswordAuthentication\s/ aPasswordAuthentication no'
} | awk '\$0==""||!x[\$0]++'
EOF
# NSS and PAM have been configured to use the ldap modules that are
# part of [nss-pam-ldapd][].
#
# [nss-pam-ldapd]: https://www.parabola.nu/packages/community/x86_64/nss-pam-ldapd/
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript <<EOF
#!/bin/sh
sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/'
EOF
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/passwd.holoscript <<EOF
#!/bin/sh
sed -e '/ldap/d' |
sed -e 's/^password required pam_unix[.]so/#&/' \\
-e '\$apassword required pam_ldap.so minimum_uid=1000'
EOF
# However, instead of running the normal `nslcd` LDAP client daemon,
# the system has ben configured to run the [parabola-hackers-nshd][]
# `nshd` daemon, which reads user infomation from the same
# `hackers.git` checkout (configured the same way). This way we dn't
# have to worry about keeping `/etc/passwd` in sync with
# `hackers.git`.
#
# [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/
add-unit etc/systemd/system/sockets.target.wants/nshd.socket
add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [systemd bug workaround][])
#
# [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19
# To this end, PAM has also been configured to create a users home
# directory when they log in if it doesn't already exist.
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/system-login.holoscript <<EOF
#!/bin/sh
sed '/pam_mkhomedir/d'
echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0077'
EOF
# Because `hackers.git` doesn't store any password information, `nshd`
# stores password hashes in `/etc/nshd/shadow`.
# Now, we'll configure _updating_ it separately, but we need to ensure
# that the checkout of hackers.git that nshd will be using exists when
# nshd runs.
add-file etc/systemd/system/hackers-init.service <<EOF
[Unit]
Description=Initialize hackers.git
Wants=network-online.target
After=network-online.target
ConditionPathExists=|!/var/lib/hackers-git/.git
ConditionPathExistsGlob=|!/var/lib/hackers-git/users/*.yml
[Service]
ExecStart=/bin/sh -c 'install --directory --owner=git --group=git /var/lib/hackers-git && sudo -u git git clone git://git.parabola.nu/hackers.git /var/lib/hackers-git'
Type=oneshot
RemainAfterExit=yes
EOF
add-unit etc/systemd/system/nshd.service.wants/hackers-init.service
add-file -m755 etc/parabola-hackers/hooks/10-nshd <<EOF
#!/usr/bin/env bash
echo '==> Reloading nshd...'
systemctl reload nshd.service
EOF
postamble
}
|
