commit 1f5b8d63d6ed9f6ceb028be8c9775f4f3d8c4192
parent a58934336e70a53249c696953aa272b314f622c6
Author: Jan Pobrislo <ccx@webprojekty.cz>
Date: Wed, 27 Jul 2022 01:01:27 +0200
SSH deployment key warning; use config.aat
Diffstat:
7 files changed, 103 insertions(+), 88 deletions(-)
diff --git a/Makefile b/Makefile
@@ -1,6 +1,7 @@
.PHONY: all clean
ALL_TARGETS:= s6-rc.fileset postinstall.fileset postinstall.rsfilter static/etc/fstab
+DATA_AWK:=/current/bzr/aat/data.awk
all: $(ALL_TARGETS)
clean:
@@ -13,7 +14,8 @@ build/%.awk: %.aat
mv "$@.new" "$@"
%.qawk: %.awk
- query.awk "$<" >"$@.new"
+ cat $(DATA_AWK) >"$@.new"
+ query.awk "$<" >>"$@.new"
mv "$@.new" "$@"
%.rsfilter: %.fileset
@@ -37,5 +39,5 @@ build/config: build/config.awk
mv "$@.new" "$@"
postinstall.fileset: build/config build/postinstall.qawk
- awk -f build/postinstall.qawk build/config >"$@.new"
+ awk -v DEBUG=1 -f build/postinstall.qawk build/config >"$@.new"
mv "$@.new" "$@"
diff --git a/config.aat b/config.aat
@@ -0,0 +1,5 @@
+|BEGIN{
+root_shell=/bin/zsh
+tty_max=12
+getty_max=8
+|}
diff --git a/postinstall b/postinstall
@@ -76,6 +76,7 @@ setup_static_symlinks() {
symlink_static_file /etc/mkinitfs/mkinitfs.conf || return $?
symlink_static_file /etc/ssh/sshd_config || return $?
symlink_static_file /etc/update-extlinux.conf || return $?
+ symlink_static_file /etc/zsh/zshrc.d/90_warn_deploy_ssh_key.zsh || return $?
# Not static, generated in ./install
if [[ ! -L /etc/motd && -f /etc/motd ]]; then
diff --git a/postinstall.aat b/postinstall.aat
@@ -83,7 +83,7 @@ CN # Managed by /usr/src/core-system
LINUX vmlinuz-virt
INITRD initramfs-virt
APPEND root=/dev/mapper/vg-spark_root init=/previous/init/bin/init modules=sd-mod,usb-storage,ext4,xfs,lvm rootflags=noatime
-|split("libutil.c32 libcom32.c32 mboot.c32 menu.c32 vesamenu.c32", extlinux_modules)
+|split("libutil.c32 libcom32.c32 mboot.c32 menu.c32 vesamenu.c32", extlinux_modules, " ")
|for(n in extlinux_modules) {
| mod = extlinux_modules[n]
/boot/{{mod}} +
@@ -96,8 +96,8 @@ CN # Managed by /usr/src/core-system
|line_append_file("sshd:x", ":22:", "", "^[^:]*:[^:]*")
/etc/passwd f +
-?i grep -q '^root:.*:/bin/zsh$'
-!f sed -Ee 's|^(root:.*:)[^:]*$|\1/bin/zsh|'
+?i grep -q '^root:.*:{<root_shell>}$'
+!f sed -Ee 's|^(root:.*:)[^:]*$|\1{<root_shell>}|'
|passwd_user("sshd:x:22:22:server privilege separation,,,:/home/sshd:/sbin/nologin")
|shadow_user("sshd:!:10000::::::")
diff --git a/s6-rc.aat b/s6-rc.aat
@@ -1,4 +1,4 @@
-|BEGIN{
+|END{
/ d m755
/ok-all d m755
@@ -74,29 +74,48 @@ m755
/loadkeys/type cN oneshot m644
/loadkeys/up cN loadkeys --unicode /root/keymap m644
-|### TTY configuration ###
-|tty_max=12
-|getty_max=8
+|### per-TTY services ###
/gettys d m755
/gettys/type cN bundle m644
/gettys/contents
CN tty1
-|for(tty=2; tty<=getty_max; tty++) {
+|for(tty=2; tty<=(<getty_max>+0); tty++) {
tty{{tty}}
|}
m644
+|for(tty=1; tty<=(<getty_max>+0); tty++) {
+/tty{{tty}} d m755
+/tty{{tty}}/type cN longrun m644
+/tty{{tty}}/dependencies cN ok-sysinit m644
+/tty{{tty}}/run
+CN #!/command/execlineb -P
+ getpid SERVICE_PID
+ foreground {
+ importas -i SERVICE_PID SERVICE_PID
+ if { test -d /run/cgroup2 }
+ if { mkdir -p /run/cgroup2/s6-rc/tty{{tty}} }
+ redirfd -w 1 /run/cgroup2/s6-rc/tty{{tty}}/cgroup.procs
+ printf "%s" ${SERVICE_PID}
+ }
+ unexport SERVICE_PID
+ foreground { /command/issue-gen }
+
+ env LOGIN_TTY=/dev/tty{{tty}} /sbin/getty 38400 tty{{tty}} linux
+m755
+|}
+
/kbd_mode d m755
/kbd_mode/type cN bundle m644
/kbd_mode/contents
CN kbd_mode-tty1
-|for(tty=2; tty<=tty_max; tty++) {
+|for(tty=2; tty<=(<tty_max>+0); tty++) {
kbd_mode-tty{{tty}}
|}
m644
-|for(tty=1; tty<=tty_max; tty++) {
+|for(tty=1; tty<=(<tty_max>+0); tty++) {
/kbd_mode-tty{{tty}} d m755
/kbd_mode-tty{{tty}}/type cN oneshot m644
/kbd_mode-tty{{tty}}/up cN kbd_mode -u -C /dev/tty{{tty}} m644
@@ -123,27 +142,6 @@ m644
|#/setfont-tty4/up cN redirfd -r 0 /dev/tty4 setfont ter-v14n m644
|#/setfont/type cN bundle m644
-|for(tty=1; tty<=getty_max; tty++) {
-/tty{{tty}} d m755
-/tty{{tty}}/type cN longrun m644
-/tty{{tty}}/dependencies cN ok-sysinit m644
-/tty{{tty}}/run
-CN #!/command/execlineb -P
- getpid SERVICE_PID
- foreground {
- importas -i SERVICE_PID SERVICE_PID
- if { test -d /run/cgroup2 }
- if { mkdir -p /run/cgroup2/s6-rc/tty{{tty}} }
- redirfd -w 1 /run/cgroup2/s6-rc/tty{{tty}}/cgroup.procs
- printf "%s" ${SERVICE_PID}
- }
- unexport SERVICE_PID
- foreground { /command/issue-gen }
-
- env LOGIN_TTY=/dev/tty{{tty}} /sbin/getty 38400 tty{{tty}} linux
-m755
-|}
-
/modules d m755
/modules/dependencies cN dmesg m644
/modules/type cN oneshot m644
diff --git a/s6-rc.fileset b/s6-rc.fileset
@@ -198,61 +198,6 @@ CN tty1
tty8
m644
-/kbd_mode d m755
-/kbd_mode/type cN bundle m644
-/kbd_mode/contents
-CN kbd_mode-tty1
- kbd_mode-tty2
- kbd_mode-tty3
- kbd_mode-tty4
- kbd_mode-tty5
- kbd_mode-tty6
- kbd_mode-tty7
- kbd_mode-tty8
- kbd_mode-tty9
- kbd_mode-tty10
- kbd_mode-tty11
- kbd_mode-tty12
-m644
-
-/kbd_mode-tty1 d m755
-/kbd_mode-tty1/type cN oneshot m644
-/kbd_mode-tty1/up cN kbd_mode -u -C /dev/tty1 m644
-/kbd_mode-tty2 d m755
-/kbd_mode-tty2/type cN oneshot m644
-/kbd_mode-tty2/up cN kbd_mode -u -C /dev/tty2 m644
-/kbd_mode-tty3 d m755
-/kbd_mode-tty3/type cN oneshot m644
-/kbd_mode-tty3/up cN kbd_mode -u -C /dev/tty3 m644
-/kbd_mode-tty4 d m755
-/kbd_mode-tty4/type cN oneshot m644
-/kbd_mode-tty4/up cN kbd_mode -u -C /dev/tty4 m644
-/kbd_mode-tty5 d m755
-/kbd_mode-tty5/type cN oneshot m644
-/kbd_mode-tty5/up cN kbd_mode -u -C /dev/tty5 m644
-/kbd_mode-tty6 d m755
-/kbd_mode-tty6/type cN oneshot m644
-/kbd_mode-tty6/up cN kbd_mode -u -C /dev/tty6 m644
-/kbd_mode-tty7 d m755
-/kbd_mode-tty7/type cN oneshot m644
-/kbd_mode-tty7/up cN kbd_mode -u -C /dev/tty7 m644
-/kbd_mode-tty8 d m755
-/kbd_mode-tty8/type cN oneshot m644
-/kbd_mode-tty8/up cN kbd_mode -u -C /dev/tty8 m644
-/kbd_mode-tty9 d m755
-/kbd_mode-tty9/type cN oneshot m644
-/kbd_mode-tty9/up cN kbd_mode -u -C /dev/tty9 m644
-/kbd_mode-tty10 d m755
-/kbd_mode-tty10/type cN oneshot m644
-/kbd_mode-tty10/up cN kbd_mode -u -C /dev/tty10 m644
-/kbd_mode-tty11 d m755
-/kbd_mode-tty11/type cN oneshot m644
-/kbd_mode-tty11/up cN kbd_mode -u -C /dev/tty11 m644
-/kbd_mode-tty12 d m755
-/kbd_mode-tty12/type cN oneshot m644
-/kbd_mode-tty12/up cN kbd_mode -u -C /dev/tty12 m644
-
-
/tty1 d m755
/tty1/type cN longrun m644
/tty1/dependencies cN ok-sysinit m644
@@ -398,6 +343,61 @@ CN #!/command/execlineb -P
env LOGIN_TTY=/dev/tty8 /sbin/getty 38400 tty8 linux
m755
+/kbd_mode d m755
+/kbd_mode/type cN bundle m644
+/kbd_mode/contents
+CN kbd_mode-tty1
+ kbd_mode-tty2
+ kbd_mode-tty3
+ kbd_mode-tty4
+ kbd_mode-tty5
+ kbd_mode-tty6
+ kbd_mode-tty7
+ kbd_mode-tty8
+ kbd_mode-tty9
+ kbd_mode-tty10
+ kbd_mode-tty11
+ kbd_mode-tty12
+m644
+
+/kbd_mode-tty1 d m755
+/kbd_mode-tty1/type cN oneshot m644
+/kbd_mode-tty1/up cN kbd_mode -u -C /dev/tty1 m644
+/kbd_mode-tty2 d m755
+/kbd_mode-tty2/type cN oneshot m644
+/kbd_mode-tty2/up cN kbd_mode -u -C /dev/tty2 m644
+/kbd_mode-tty3 d m755
+/kbd_mode-tty3/type cN oneshot m644
+/kbd_mode-tty3/up cN kbd_mode -u -C /dev/tty3 m644
+/kbd_mode-tty4 d m755
+/kbd_mode-tty4/type cN oneshot m644
+/kbd_mode-tty4/up cN kbd_mode -u -C /dev/tty4 m644
+/kbd_mode-tty5 d m755
+/kbd_mode-tty5/type cN oneshot m644
+/kbd_mode-tty5/up cN kbd_mode -u -C /dev/tty5 m644
+/kbd_mode-tty6 d m755
+/kbd_mode-tty6/type cN oneshot m644
+/kbd_mode-tty6/up cN kbd_mode -u -C /dev/tty6 m644
+/kbd_mode-tty7 d m755
+/kbd_mode-tty7/type cN oneshot m644
+/kbd_mode-tty7/up cN kbd_mode -u -C /dev/tty7 m644
+/kbd_mode-tty8 d m755
+/kbd_mode-tty8/type cN oneshot m644
+/kbd_mode-tty8/up cN kbd_mode -u -C /dev/tty8 m644
+/kbd_mode-tty9 d m755
+/kbd_mode-tty9/type cN oneshot m644
+/kbd_mode-tty9/up cN kbd_mode -u -C /dev/tty9 m644
+/kbd_mode-tty10 d m755
+/kbd_mode-tty10/type cN oneshot m644
+/kbd_mode-tty10/up cN kbd_mode -u -C /dev/tty10 m644
+/kbd_mode-tty11 d m755
+/kbd_mode-tty11/type cN oneshot m644
+/kbd_mode-tty11/up cN kbd_mode -u -C /dev/tty11 m644
+/kbd_mode-tty12 d m755
+/kbd_mode-tty12/type cN oneshot m644
+/kbd_mode-tty12/up cN kbd_mode -u -C /dev/tty12 m644
+
+
/modules d m755
/modules/dependencies cN dmesg m644
/modules/type cN oneshot m644
diff --git a/static/etc/zsh/zshrc.d/90_warn_deploy_ssh_key.zsh b/static/etc/zsh/zshrc.d/90_warn_deploy_ssh_key.zsh
@@ -0,0 +1,9 @@
+[[ $UID == 0 && -o login ]] && () {
+ setopt local_options extended_glob
+ local files warn='%K{yellow}%F{black}WARNING%k%f'
+ local -a pubkeys=( /etc/ssh/ssh_host_*_key.pub(N) )
+ (($#pubkeys)) || return 0
+ files=$(grep -l replace_me@deploy $pubkeys) || return 0
+ printf >&2 "%s\n" "${(%)warn} There are shared deployment ssh host keys in $files; please remove them and create fresh set of keys."
+}
+# vim: set ft=zsh ts=4:
