From: Ismaƫl Bouya Date: Wed, 2 Jan 2019 17:02:36 +0000 (+0100) Subject: Add gitolite X-Git-Tag: nur_publish~376 X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=5566d26d9cb4f992e974ad8a8720c5970d566105 Add gitolite --- diff --git a/libs.nix b/libs.nix index c85808b..ad517f2 100644 --- a/libs.nix +++ b/libs.nix @@ -37,4 +37,22 @@ in }; checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0; + + wrap = { paths ? [], vars ? {}, file ? null, script ? null, name ? "wrap" }: + assert file != null || script != null || + abort "wrap needs 'file' or 'script' argument"; + with rec { + set = n: v: "--set ${pkgs.lib.escapeShellArg n} " + + "${pkgs.lib.escapeShellArg v}"; + args = (map (p: "--prefix PATH : ${p}/bin") paths) ++ + (builtins.attrValues (pkgs.lib.mapAttrs set vars)); + }; + runCommand name + { + f = if file == null then writeScript name script else file; + buildInputs = [ makeWrapper ]; + } + '' + makeWrapper "$f" "$out" ${toString args} + ''; } diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 36b765c..292b31a 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -86,6 +86,26 @@ # }; }; + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys + AuthorizedKeysCommandUser nobody + ''; + + # FIXME: after initial install, need to + # (1) copy rc file (adjust gitolite_ldap_groups.sh) + # (2) (mark old readonly and) sync repos except gitolite-admin + # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/ + # chown -R gitolite:gitolite /var/lib/gitolite + # (3) push force the gitolite-admin to new location (from external point) + # Don't use an existing key, it will take precedence over + # gitolite-admin + # (4) su -u gitolite gitolite setup + services.gitolite = { + enable = true; + # FIXME: key from ./ssh + adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu"; + }; + services.ympd = mypkgs.ympd.config // { enable = true; }; services.phpfpm = { @@ -118,6 +138,45 @@ mkdir -p /run/redis chown redis /run/redis ''; + gitolite = + assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; + let + gitolite_ldap_groups = mylibs.wrap { + name = "gitolite_ldap_groups.sh"; + file = ./packages/gitolite_ldap_groups.sh; + vars = { + LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; + }; + paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ]; + }; + in { + deps = [ "users" ]; + text = '' + if [ -d /var/lib/gitolite ]; then + ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh + fi + ''; + }; + }; + + environment.etc."ssh/ldap_authorized_keys" = let + ldap_authorized_keys = + assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; + mylibs.wrap { + name = "ldap_authorized_keys"; + file = ./ldap_authorized_keys.sh; + vars = { + LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; + GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; + ECHO = "${pkgs.coreutils}/bin/echo"; + }; + paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; + }; + in { + enable = true; + mode = "0755"; + user = "root"; + source = ldap_authorized_keys; }; services.httpd = let diff --git a/virtual/ldap_authorized_keys.sh b/virtual/ldap_authorized_keys.sh new file mode 100755 index 0000000..e8d7a64 --- /dev/null +++ b/virtual/ldap_authorized_keys.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env bash + +LDAPSEARCH=ldapsearch +KEY="immaeSshKey" +LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" +#LDAP_PASS="password taken from environment" +LDAP_HOST="ldap.immae.eu" +LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" +LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" +LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" +LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" +LDAP_BASE="dc=immae,dc=eu" + +suitable_for() { + type_for="$1" + key="$2" + + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo "$key" + else + key_type=$(cut -d " " -f 1 <<< "$key") + + if grep -q "\b-$type_for\b" <<< "$key_type"; then + echo "" + elif grep -q "\b$type_for\b" <<< "$key_type"; then + echo $(sed -e "s/^[^ ]* //g" <<< "$key") + else + echo "" + fi + fi +} + +clean_key_line() { + type_for="$1" + line="$2" + + if [[ "$line" == $KEY::* ]]; then + # base64 keys should't happen, unless wrong copy-pasting + key="" + else + key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") + fi + + suitable_for "$type_for" "$key" +} + +ldap_search() { + $LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" +} + +ldap_keys() { + user=$1; + if [[ $user == gitolite ]]; then + ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + if [ -n "$user" ]; then + if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then + # Capitalize first letter (backward compatibility) + user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") + fi + else + # Service fake user + user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") + fi + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line git "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' + echo $key + fi + fi + fi + fi + done + exit 0 + elif [[ $user == pub ]]; then + ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + echo "" + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + echo "# $user" + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line pub "$line") + key_forward=$(clean_key_line forward "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'command="$HOME/bin/restrict '$user'" ' + echo $key + fi + elif [ ! -z "$key_forward" ]; then + if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then + echo "# forward only" + echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' + echo $key_forward + fi + fi + fi + fi + done + + echo "" + ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + echo "" + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + echo "# $user" + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line forward "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' + echo $key + fi + fi + fi + fi + done + exit 0 + else + ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line ssh "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo $key + fi + fi + fi + fi + done + fi +} + +ldap_keys $@ diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/packages/gitolite_ldap_groups.sh new file mode 100755 index 0000000..5f7ef6d --- /dev/null +++ b/virtual/packages/gitolite_ldap_groups.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +uid_param="$1" +ldap_host="ldap.immae.eu" +ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu" +ldap_bindpw="$LDAP_PASS" +ldap_searchbase="dc=immae,dc=eu" +ldap_scope="subtree" + +ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}" + +ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))" +ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn | grep 'cn:' | cut -d' ' -f2) + +echo "$ldap_result"