132 lines
8.2 KiB
Bash
132 lines
8.2 KiB
Bash
#!/hint/bash -euE
|
|
# Copyright (C) 2018, 2023 Luke Shumaker
|
|
# Copyright (C) 2023 Umorpha Systems
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
load_module "$(dirname -- "${BASH_SOURCE[0]}")/base-sshd.sh"
|
|
|
|
packages+=(
|
|
# Functionality
|
|
sudo
|
|
git
|
|
run-parts
|
|
libxcrypt-compat
|
|
parabola-hackers-nshd
|
|
|
|
# Experience
|
|
less
|
|
bash-completion
|
|
rxvt-unicode-terminfo
|
|
lsof
|
|
)
|
|
|
|
post_install+=(20:parabola-hackers:post_install)
|
|
parabola-hackers:post_install() {
|
|
local arg_mountpoint=$1
|
|
|
|
# Init and update hackers.git ##########################################
|
|
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-init.service" <<-'EOF'
|
|
[Unit]
|
|
Description=Initialize hackers.git
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
Before=nshd.service
|
|
ConditionPathExists=|!/var/lib/hackers-git/.git
|
|
ConditionPathExistsGlob=|!/var/lib/hackers-git/users/*.yml
|
|
|
|
[Service]
|
|
ExecStart=/bin/sh -c 'install --directory --owner=git --group=git /var/lib/hackers-git && sudo -u git git clone git://git.parabola.nu/hackers.git /var/lib/hackers-git'
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
|
|
[Install]
|
|
WantedBy=nshd.service
|
|
EOF
|
|
systemctl --root="$arg_mountpoint" enable hackers-init.service
|
|
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-update.service" <<-'EOF'
|
|
[Unit]
|
|
Description=Update hackers.git
|
|
Wants=hackers-init.service
|
|
After=hackers-init.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/bin/sh -c 'cd /var/lib/hackers-git && sudo -u git git pull --ff-only && cd / && run-parts --arg=/var/lib/hackers-git -- /etc/parabola-hackers/hooks'
|
|
EOF
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/systemd/system/hackers-update.timer" <<-'EOF'
|
|
[Unit]
|
|
Description=Daily update of hackers.git
|
|
|
|
[Timer]
|
|
OnCalendar=daily
|
|
Persistent=true
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|
|
EOF
|
|
systemctl --root="$arg_mountpoint" enable hackers-update.timer
|
|
|
|
# Run NSHD to read hackers.git #########################################
|
|
|
|
systemctl --root="$arg_mountpoint" enable nshd.socket
|
|
|
|
install -Dm755 /dev/stdin "$arg_mountpoint/etc/parabola-hackers/hooks/10-nshd" <<-'EOF'
|
|
#!/usr/bin/env bash
|
|
echo '==> Reloading nshd...'
|
|
systemctl reload nshd.service
|
|
EOF
|
|
|
|
# Have sshd, NSS, and PAM talk to NSHD #################################
|
|
|
|
# sshd
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/ssh/sshd_config.d/90-hackers.conf" <<-'EOF'
|
|
AuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys
|
|
AuthorizedKeysCommandUser nshd
|
|
EOF
|
|
|
|
# NSS
|
|
sed -Ei '/^(passwd|group|shadow):/s/(files|compat)/files ldap/' "$arg_mountpoint/etc/nsswitch.conf"
|
|
|
|
# PAM
|
|
echo 'password required pam_ldap.so minimum_uid=1000' >>"$arg_mountpoint/etc/pam.d/passwd"
|
|
echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0077' >>"$arg_mountpoint/etc/pam.d/system-login"
|
|
|
|
# Other ################################################################
|
|
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/ssh/sshd_config.d/90-port.conf" <<-'EOF'
|
|
Port 1863
|
|
EOF
|
|
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/sudoers.d/00-wheel" <<-'EOF'
|
|
%wheel ALL=(ALL) ALL
|
|
EOF
|
|
|
|
# emergency@ ###########################################################
|
|
# In case any of the above goes wrong
|
|
|
|
install -Dm644 /dev/stdin "$arg_mountpoint/etc/sysusers.d/emergency-hackers.conf" <<-'EOF'
|
|
u emergency 10000:users "Emergency Administration User" /home/emergency /bin/bash
|
|
m emergency wheel
|
|
EOF
|
|
install -d -m700 --owner=10000 --group=10 "$arg_mountpoint/home/emergency/.ssh"
|
|
install -m600 --owner=10000 --group=10 /dev/stdin "$arg_mountpoint/home/emergency/.ssh/authorized_keys" <<-'EOF'
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPTz2guGQBvmC14hlyhrfkZQK4OdoEyTpXkzEgJMnhZwoKu2fp++yaloZO6Te3SMCreAUoOB5bYCENAtmRZtb7NOy/nYA5qNoPz+behx6zec0S2zLMEpgYKmdLVoazbVlczdMWtHrozcThkI1q9eje+QB6spNeaWqxaNvhA48K0QxjcPzUxDDd/uIHDuOHZlhiSUx1NbhWV2GekHmS+Aq4ROXSfJrRK3ZdyR4FK/hJKDUHJGvd9m39ytsvVAtH749SUOz9NmCGs2Mj1ROMbyBR0tR/Ce7XexrnN+BRYw7G9klu+ag9xMfXYmfWGKBTr7HD2RR0kptURi110aW9POqz Luke Shumaker (lukeshu) <lukeshu@lukeshu-gluglugt60>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8vnIcUde+zQ3nVGkcZr7jsTNMZbMhdwDxn2igXxgng4eyWSTkwPIztIIsCn+WiH/13VsVGdT1d1PL3usnpNk0kpXJA5ZG+pSLDT9iZizzuLPIV8S+QgdW5nASu0D2a1ZiYT/MkekmVBoKdkyeaipALxARVPFOgJ9ceoestB8SaX+oVnwIdByXQ7a56Dq7TlIDxoDbMKtjaDZRAImaZAxHrvnY3ipSRFdPT2hSkNMuwC6tXOWD69KsSnQBLA6ssbrfrp5EK0T852KV0MW1FXZz+ObK4moW5GtFbeouw1ZMBzmKX7ekgrKxl2p6sxVdWKjowbcCQfIhwUCc+hJbQDX Luke Shumaker (lukeshu) <lukeshu@parabola.nu>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1OwEmbhtgmjcH/rPTSCEXHCOHyz9YbbeMF0sGzGpx5aaQWfiRWzHDHXj8in7Ub8M1K0G+J1yzjxXyWfmg4DUgt8HQkLRkHVSZOg3LVxGY99ZJ6EsM4nCq4VO4LEff/9ZCGDk4x/MvGoDh33VIHI2c3KY7Aky2MKHIaWjojhtMIcFzrNU5ALqAVfJn6+CYJje0ZJKM7cFscnnyXP1AzC1amR9vHHWgsgmCE9olKbrVelZgYjBJL8+8jIxjQZLRhBz/KAa5tGwvgVCxR8zrBHVrEwXzzzHYEMocW4LVjlyZIcUNu/HBO1NHZSCbDoUuLmquSaH4QDJ7dscDdoTBrtvEw== Luke Shumaker (lukeshu) <lukeshu@sbcglobal.net>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvfHmOPEkkj3t5iPQ+u2gepTSqVhMTbvylQirCAAQLfjjsWHXTFpWFV8voogSYaOetcV8vHB6TZJom037El4t/23kgyumfxG1Fly8hr7oQmLCIwQ8adZ1dmJpTbPyBvYS+fxtLOTyESsDNiB47W47uP2TxPl+x5yixhJunpEDfpzxhgowA3xwfdqOv2gkrLG8yGNLJHBkGdP0988v70C/Li5sZMHGexIZgsVCAbM4YfsSPKCteevCTSbL6PFgNUsx4/E/FBb31lhmyb0g5iFnbKMgwgyPBcVHZMU7aTuxMCvaIToPoCN+pLvnJoVuI5mRLmfjYygRxec12YKV7I6yIQ== Nicolás Reynolds (fauno) <fauno+0@parabola.nu>
|
|
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGF017csJzb1zpqUXqBf2/aSOVRwkweSL6JujlQuhG0SEM+tV/YSHMaZaV2eddJfEm5E46tHUxuAoFx1GI44wyY0ADCZHpE8WE5aPVxTI2dBMTpa97O6WlkqkzEQ+5nQJ4Jhdm4Rmkb13pZypzxqcv8QXtpVXe2KFPmw+aPuVZ6X5tyYg== Nicolás Reynolds (fauno) <fauno+1@parabola.nu>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH/E0aI3Jtva+HkZJBh7cexZGsqYoLCMM2cdt3L4/YODtzwdcC7Jw1rH0Y5Vt884SkRN4tWu2poWKAVQu0Mk97BuoPA1XYfUn+XxytnNMwXwh+PG/ruLJiBHTEmzaL98LqngbOejZ2U3FicLhO8uhLGpAP1g+JrTiBdtDPIldQI2j13SYOE1P/eqSXj82v/YYFfDBlqfP5VTbz2Bg/NFeYKM16zKq/lwLzGux/zHTavkItEwicVG5plrwC5oiyJ6/IbNmUGUQ3qIpKNoyiWuWNA/c5hifFIjFH/pWCJl8JYzTB0D6uFz64v3e8bDxQe6zJp5JiwvaWZ0Gq65BsKPCl Nicolás Reynolds (fauno) <fauno+2@parabola.nu>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC50/jQk3jtHE4sXUKSFSIVlZVjvAN0XvBAu2jN9xhWzvQulXua7C+k58YHJN/qMu/MRWN6ggRmNqG6y0gYe48p55cHVRLzxFu5b0W0cywHIyJ/odL5BAFVQp2pkgPgfkHEQtbeRPWWGCDrlYKU29ufvInetlT7OXRFOt4DLmc6bSl39idfLZ1f2Vj2TpNeVUpv34dDUDHyaBxnrzI3R4JwCTNNARJcatMbzKHkHHcZM4ALl8jJWsSnU+K7xFaB2MaHay8FmeDw6c3Rg7uSrw5SK9HE9Qid+NWuIPmUNlUjvDjBuaBxwflHtR5puIu8JnAq5rf+Wztwgie2y4hf9fPZ Nicolás Reynolds (fauno) <fauno@parabolagnulinux.org>
|
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCc9VbjRZhaETQkkdAEQ9TQrWO/57rpRiDXECiMTMSNAp54CyIrXRmtcnC1ck4ZLDgJp2C9CiPe5zLRFwz0D7E= Nicolás Reynolds (fauno) <fauno@yap.local>
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCre8xR9xKDtXyeteK7EhhYYVluuspsTNdo7rbT8+QDs7CULupLvgCIJOzJCZpoIZwXkpaNAnAN8+koUqVC8kWJKkXffNbVoxzr+unTKZCV/oQgZmC7pk+1tQTFC//N/5QhWr7/iH4T1JGeZwoOwYkWf8jiA7w4WN+9uF2YzzknsfHwdEswR13gSy2BWvN6mVolPj7Z/i8VqIAE0sNAhUYeuVV2v2PlpJnot/YnaYsC3I21qymBav7ENy/geT9f5tuGELi2J1nFTQ2CfCaH3zKixj43DfC1h/OE4Ns/lrYiU4qv8Z9OVSeyM3vp7XAri/3vUSM3FF289bj2EClPxhRB bill auger (bill-auger) <bill-auger@peers.community>
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuT5ri53jXXNjf/ms6Fy603vNIRj9+UBluzQwr4Qwhw GNUtoo@cyberdimension.org
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuXyvHi+T65YJ8bM3RQGNsxLlHHM5IG/T53MPznXBAaUqvexLzKiXEvh52uR1Kd6jQ3khNbb3CF2QpGwH/uK+YBoKHwur9PPoEp7ZeEH7nTmWKbOKLSxRp9QgtcBANby8K9Jo3wMHbU8AFN8W7BrlT4/oAPs82jpPnfyuBmDAkW4jl0IEy5X6sdaSlGifLgo+d4rzrpyNXPQYSmEQOp3pHwaN/e7AB9NjHtoLn30d7oMUgbLNdUgdk+LptR8fvhxHeJLNRxYCwDPQgpkokNYmlEx+eCHgJaGVcEPeXqRp9xjtMa/WfWrgDtRDdTQh8Lsm+eNNLDXukR0JPj7lAMl0x andi@arch-maniac
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXUsD8aOZGFBS+KxUB23z4xkW2OLtSjEz5uYu+lk8JU9bDZgcYB0mCk9qfM0cKUvzlOuqefVH8OSQ3OSjgnARvyaq/SEOagQuIPczuT0fpweBX2xEMvgfZWAUhQtE9MLVOgz9OGqkTrCeUH7Dk593kTmXtbgW7uV1L/W3rEbkxdB4m3tyrikctrHTr3Vv68kkACt0A/K6//gXrGbbX0yy0lirB94JS0HatD+Zz1nErXJkFwoBLCJwpUFHBsqXVAVDHswbpl7/d8fXFR2iXf+Hkdky3O3dJnqtoA98Iw6XeHOPxczq4v9ZWCp/w6n5yWQgrfv/Me6Ou4a/Fn3pKhUkjdnwEMah940xzHp+pE+SD5tmIzvkslvYBrMOoiEu7Awv7W0D7WHVUK4g4cRlhfqY1XO0vz434BdkTiVx4qpA4EXqwYZYYVbD6uzDemYnTj7xMF4E/tPUwRhFiOw11m3u3RxkVHP0H/dL+2cA08RGRFoOxCmhysadIlZKKewJBgpk= gnutoo@primarylaptop
|
|
EOF
|
|
install -m644 /dev/stdin "$arg_mountpoint/etc/sudoers.d/99-emergency" <<-'EOF'
|
|
emergency ALL=(ALL) NOPASSWD: ALL
|
|
EOF
|
|
}
|