#!/hint/bash -euE # Copyright (C) 2018, 2023 Luke Shumaker # Copyright (C) 2023 Umorpha Systems # SPDX-License-Identifier: AGPL-3.0-or-later load_module "$(dirname -- "${BASH_SOURCE[0]}")/base-sshd.sh" packages+=( # Functionality sudo git run-parts libxcrypt-compat parabola-hackers-nshd # Experience less bash-completion rxvt-unicode-terminfo lsof ) post_install+=(20:parabola-hackers:post_install) parabola-hackers:post_install() { local arg_mountpoint=$1 # Init and update hackers.git ########################################## install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-init.service" <<-'EOF' [Unit] Description=Initialize hackers.git Wants=network-online.target After=network-online.target Before=nshd.service ConditionPathExists=|!/var/lib/hackers-git/.git ConditionPathExistsGlob=|!/var/lib/hackers-git/users/*.yml [Service] ExecStart=/bin/sh -c 'install --directory --owner=git --group=git /var/lib/hackers-git && sudo -u git git clone git://git.parabola.nu/hackers.git /var/lib/hackers-git' Type=oneshot RemainAfterExit=yes [Install] WantedBy=nshd.service EOF systemctl --root="$arg_mountpoint" enable hackers-init.service install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-update.service" <<-'EOF' [Unit] Description=Update hackers.git Wants=hackers-init.service After=hackers-init.service [Service] Type=oneshot ExecStart=/bin/sh -c 'cd /var/lib/hackers-git && sudo -u git git pull --ff-only && cd / && run-parts --arg=/var/lib/hackers-git -- /etc/parabola-hackers/hooks' EOF install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-update.timer" <<-'EOF' [Unit] Description=Daily update of hackers.git [Timer] OnCalendar=daily Persistent=true [Install] WantedBy=timers.target EOF systemctl --root="$arg_mountpoint" enable hackers-update.timer # Run NSHD to read hackers.git ######################################### systemctl --root="$arg_mountpoint" enable nshd.socket install -Dm755 /dev/stdin "$arg_mountpoint/etc/parabola-hackers/hooks/10-nshd" <<-'EOF' #!/usr/bin/env bash echo '==> Reloading nshd...' systemctl reload nshd.service EOF # Have sshd, NSS, and PAM talk to NSHD ################################# # sshd install -Dm644 /dev/stdin "$arg_mountpoint/etc/ssh/sshd_config.d/90-hackers.conf" <<-'EOF' AuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys AuthorizedKeysCommandUser nshd EOF # NSS sed -Ei '/^(passwd|group|shadow):/s/(files|compat)/files ldap/' "$arg_mountpoint/etc/nsswitch.conf" # PAM echo 'password required pam_ldap.so minimum_uid=1000' >>"$arg_mountpoint/etc/pam.d/passwd" echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0077' >>"$arg_mountpoint/etc/pam.d/system-login" # Other ################################################################ install -Dm644 /dev/stdin "$arg_mountpoint/etc/ssh/sshd_config.d/90-port.conf" <<-'EOF' Port 1863 EOF install -Dm644 /dev/stdin "$arg_mountpoint/etc/sudoers.d/00-wheel" <<-'EOF' %wheel ALL=(ALL) ALL EOF # emergency@ ########################################################### # In case any of the above goes wrong install -Dm644 /dev/stdin "$arg_mountpoint/etc/sysusers.d/emergency-hackers.conf" <<-'EOF' u emergency 10000:users "Emergency Administration User" /home/emergency /bin/bash m emergency wheel EOF install -d -m700 --owner=10000 --group=10 "$arg_mountpoint/home/emergency/.ssh" install -m600 --owner=10000 --group=10 /dev/stdin "$arg_mountpoint/home/emergency/.ssh/authorized_keys" <<-'EOF' ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPTz2guGQBvmC14hlyhrfkZQK4OdoEyTpXkzEgJMnhZwoKu2fp++yaloZO6Te3SMCreAUoOB5bYCENAtmRZtb7NOy/nYA5qNoPz+behx6zec0S2zLMEpgYKmdLVoazbVlczdMWtHrozcThkI1q9eje+QB6spNeaWqxaNvhA48K0QxjcPzUxDDd/uIHDuOHZlhiSUx1NbhWV2GekHmS+Aq4ROXSfJrRK3ZdyR4FK/hJKDUHJGvd9m39ytsvVAtH749SUOz9NmCGs2Mj1ROMbyBR0tR/Ce7XexrnN+BRYw7G9klu+ag9xMfXYmfWGKBTr7HD2RR0kptURi110aW9POqz Luke Shumaker (lukeshu) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8vnIcUde+zQ3nVGkcZr7jsTNMZbMhdwDxn2igXxgng4eyWSTkwPIztIIsCn+WiH/13VsVGdT1d1PL3usnpNk0kpXJA5ZG+pSLDT9iZizzuLPIV8S+QgdW5nASu0D2a1ZiYT/MkekmVBoKdkyeaipALxARVPFOgJ9ceoestB8SaX+oVnwIdByXQ7a56Dq7TlIDxoDbMKtjaDZRAImaZAxHrvnY3ipSRFdPT2hSkNMuwC6tXOWD69KsSnQBLA6ssbrfrp5EK0T852KV0MW1FXZz+ObK4moW5GtFbeouw1ZMBzmKX7ekgrKxl2p6sxVdWKjowbcCQfIhwUCc+hJbQDX Luke Shumaker (lukeshu) ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1OwEmbhtgmjcH/rPTSCEXHCOHyz9YbbeMF0sGzGpx5aaQWfiRWzHDHXj8in7Ub8M1K0G+J1yzjxXyWfmg4DUgt8HQkLRkHVSZOg3LVxGY99ZJ6EsM4nCq4VO4LEff/9ZCGDk4x/MvGoDh33VIHI2c3KY7Aky2MKHIaWjojhtMIcFzrNU5ALqAVfJn6+CYJje0ZJKM7cFscnnyXP1AzC1amR9vHHWgsgmCE9olKbrVelZgYjBJL8+8jIxjQZLRhBz/KAa5tGwvgVCxR8zrBHVrEwXzzzHYEMocW4LVjlyZIcUNu/HBO1NHZSCbDoUuLmquSaH4QDJ7dscDdoTBrtvEw== Luke Shumaker (lukeshu) ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvfHmOPEkkj3t5iPQ+u2gepTSqVhMTbvylQirCAAQLfjjsWHXTFpWFV8voogSYaOetcV8vHB6TZJom037El4t/23kgyumfxG1Fly8hr7oQmLCIwQ8adZ1dmJpTbPyBvYS+fxtLOTyESsDNiB47W47uP2TxPl+x5yixhJunpEDfpzxhgowA3xwfdqOv2gkrLG8yGNLJHBkGdP0988v70C/Li5sZMHGexIZgsVCAbM4YfsSPKCteevCTSbL6PFgNUsx4/E/FBb31lhmyb0g5iFnbKMgwgyPBcVHZMU7aTuxMCvaIToPoCN+pLvnJoVuI5mRLmfjYygRxec12YKV7I6yIQ== Nicolás Reynolds (fauno) ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGF017csJzb1zpqUXqBf2/aSOVRwkweSL6JujlQuhG0SEM+tV/YSHMaZaV2eddJfEm5E46tHUxuAoFx1GI44wyY0ADCZHpE8WE5aPVxTI2dBMTpa97O6WlkqkzEQ+5nQJ4Jhdm4Rmkb13pZypzxqcv8QXtpVXe2KFPmw+aPuVZ6X5tyYg== Nicolás Reynolds (fauno) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH/E0aI3Jtva+HkZJBh7cexZGsqYoLCMM2cdt3L4/YODtzwdcC7Jw1rH0Y5Vt884SkRN4tWu2poWKAVQu0Mk97BuoPA1XYfUn+XxytnNMwXwh+PG/ruLJiBHTEmzaL98LqngbOejZ2U3FicLhO8uhLGpAP1g+JrTiBdtDPIldQI2j13SYOE1P/eqSXj82v/YYFfDBlqfP5VTbz2Bg/NFeYKM16zKq/lwLzGux/zHTavkItEwicVG5plrwC5oiyJ6/IbNmUGUQ3qIpKNoyiWuWNA/c5hifFIjFH/pWCJl8JYzTB0D6uFz64v3e8bDxQe6zJp5JiwvaWZ0Gq65BsKPCl Nicolás Reynolds (fauno) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC50/jQk3jtHE4sXUKSFSIVlZVjvAN0XvBAu2jN9xhWzvQulXua7C+k58YHJN/qMu/MRWN6ggRmNqG6y0gYe48p55cHVRLzxFu5b0W0cywHIyJ/odL5BAFVQp2pkgPgfkHEQtbeRPWWGCDrlYKU29ufvInetlT7OXRFOt4DLmc6bSl39idfLZ1f2Vj2TpNeVUpv34dDUDHyaBxnrzI3R4JwCTNNARJcatMbzKHkHHcZM4ALl8jJWsSnU+K7xFaB2MaHay8FmeDw6c3Rg7uSrw5SK9HE9Qid+NWuIPmUNlUjvDjBuaBxwflHtR5puIu8JnAq5rf+Wztwgie2y4hf9fPZ Nicolás Reynolds (fauno) ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCc9VbjRZhaETQkkdAEQ9TQrWO/57rpRiDXECiMTMSNAp54CyIrXRmtcnC1ck4ZLDgJp2C9CiPe5zLRFwz0D7E= Nicolás Reynolds (fauno) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCre8xR9xKDtXyeteK7EhhYYVluuspsTNdo7rbT8+QDs7CULupLvgCIJOzJCZpoIZwXkpaNAnAN8+koUqVC8kWJKkXffNbVoxzr+unTKZCV/oQgZmC7pk+1tQTFC//N/5QhWr7/iH4T1JGeZwoOwYkWf8jiA7w4WN+9uF2YzzknsfHwdEswR13gSy2BWvN6mVolPj7Z/i8VqIAE0sNAhUYeuVV2v2PlpJnot/YnaYsC3I21qymBav7ENy/geT9f5tuGELi2J1nFTQ2CfCaH3zKixj43DfC1h/OE4Ns/lrYiU4qv8Z9OVSeyM3vp7XAri/3vUSM3FF289bj2EClPxhRB bill auger (bill-auger) ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuT5ri53jXXNjf/ms6Fy603vNIRj9+UBluzQwr4Qwhw GNUtoo@cyberdimension.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuXyvHi+T65YJ8bM3RQGNsxLlHHM5IG/T53MPznXBAaUqvexLzKiXEvh52uR1Kd6jQ3khNbb3CF2QpGwH/uK+YBoKHwur9PPoEp7ZeEH7nTmWKbOKLSxRp9QgtcBANby8K9Jo3wMHbU8AFN8W7BrlT4/oAPs82jpPnfyuBmDAkW4jl0IEy5X6sdaSlGifLgo+d4rzrpyNXPQYSmEQOp3pHwaN/e7AB9NjHtoLn30d7oMUgbLNdUgdk+LptR8fvhxHeJLNRxYCwDPQgpkokNYmlEx+eCHgJaGVcEPeXqRp9xjtMa/WfWrgDtRDdTQh8Lsm+eNNLDXukR0JPj7lAMl0x andi@arch-maniac ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXUsD8aOZGFBS+KxUB23z4xkW2OLtSjEz5uYu+lk8JU9bDZgcYB0mCk9qfM0cKUvzlOuqefVH8OSQ3OSjgnARvyaq/SEOagQuIPczuT0fpweBX2xEMvgfZWAUhQtE9MLVOgz9OGqkTrCeUH7Dk593kTmXtbgW7uV1L/W3rEbkxdB4m3tyrikctrHTr3Vv68kkACt0A/K6//gXrGbbX0yy0lirB94JS0HatD+Zz1nErXJkFwoBLCJwpUFHBsqXVAVDHswbpl7/d8fXFR2iXf+Hkdky3O3dJnqtoA98Iw6XeHOPxczq4v9ZWCp/w6n5yWQgrfv/Me6Ou4a/Fn3pKhUkjdnwEMah940xzHp+pE+SD5tmIzvkslvYBrMOoiEu7Awv7W0D7WHVUK4g4cRlhfqY1XO0vz434BdkTiVx4qpA4EXqwYZYYVbD6uzDemYnTj7xMF4E/tPUwRhFiOw11m3u3RxkVHP0H/dL+2cA08RGRFoOxCmhysadIlZKKewJBgpk= gnutoo@primarylaptop EOF install -m644 /dev/stdin "$arg_mountpoint/etc/sudoers.d/99-emergency" <<-'EOF' emergency ALL=(ALL) NOPASSWD: ALL EOF }