diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-02 18:02:36 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-02 18:02:36 +0100 |
commit | 5566d26d9cb4f992e974ad8a8720c5970d566105 (patch) | |
tree | 78a20c70e3abb2e465d09d4a4ef03f3281014583 | |
parent | 940f18341ee8f1e86a18a3488c41b5bbef909cd1 (diff) | |
download | Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.gz Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.zst Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.zip |
Add gitolite
-rw-r--r-- | libs.nix | 18 | ||||
-rw-r--r-- | virtual/eldiron.nix | 59 | ||||
-rwxr-xr-x | virtual/ldap_authorized_keys.sh | 150 | ||||
-rwxr-xr-x | virtual/packages/gitolite_ldap_groups.sh | 15 |
4 files changed, 242 insertions, 0 deletions
@@ -37,4 +37,22 @@ in | |||
37 | }; | 37 | }; |
38 | 38 | ||
39 | checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0; | 39 | checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0; |
40 | |||
41 | wrap = { paths ? [], vars ? {}, file ? null, script ? null, name ? "wrap" }: | ||
42 | assert file != null || script != null || | ||
43 | abort "wrap needs 'file' or 'script' argument"; | ||
44 | with rec { | ||
45 | set = n: v: "--set ${pkgs.lib.escapeShellArg n} " + | ||
46 | "${pkgs.lib.escapeShellArg v}"; | ||
47 | args = (map (p: "--prefix PATH : ${p}/bin") paths) ++ | ||
48 | (builtins.attrValues (pkgs.lib.mapAttrs set vars)); | ||
49 | }; | ||
50 | runCommand name | ||
51 | { | ||
52 | f = if file == null then writeScript name script else file; | ||
53 | buildInputs = [ makeWrapper ]; | ||
54 | } | ||
55 | '' | ||
56 | makeWrapper "$f" "$out" ${toString args} | ||
57 | ''; | ||
40 | } | 58 | } |
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 36b765c..292b31a 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix | |||
@@ -86,6 +86,26 @@ | |||
86 | # }; | 86 | # }; |
87 | }; | 87 | }; |
88 | 88 | ||
89 | services.openssh.extraConfig = '' | ||
90 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | ||
91 | AuthorizedKeysCommandUser nobody | ||
92 | ''; | ||
93 | |||
94 | # FIXME: after initial install, need to | ||
95 | # (1) copy rc file (adjust gitolite_ldap_groups.sh) | ||
96 | # (2) (mark old readonly and) sync repos except gitolite-admin | ||
97 | # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/ | ||
98 | # chown -R gitolite:gitolite /var/lib/gitolite | ||
99 | # (3) push force the gitolite-admin to new location (from external point) | ||
100 | # Don't use an existing key, it will take precedence over | ||
101 | # gitolite-admin | ||
102 | # (4) su -u gitolite gitolite setup | ||
103 | services.gitolite = { | ||
104 | enable = true; | ||
105 | # FIXME: key from ./ssh | ||
106 | adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu"; | ||
107 | }; | ||
108 | |||
89 | services.ympd = mypkgs.ympd.config // { enable = true; }; | 109 | services.ympd = mypkgs.ympd.config // { enable = true; }; |
90 | 110 | ||
91 | services.phpfpm = { | 111 | services.phpfpm = { |
@@ -118,6 +138,45 @@ | |||
118 | mkdir -p /run/redis | 138 | mkdir -p /run/redis |
119 | chown redis /run/redis | 139 | chown redis /run/redis |
120 | ''; | 140 | ''; |
141 | gitolite = | ||
142 | assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; | ||
143 | let | ||
144 | gitolite_ldap_groups = mylibs.wrap { | ||
145 | name = "gitolite_ldap_groups.sh"; | ||
146 | file = ./packages/gitolite_ldap_groups.sh; | ||
147 | vars = { | ||
148 | LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; | ||
149 | }; | ||
150 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ]; | ||
151 | }; | ||
152 | in { | ||
153 | deps = [ "users" ]; | ||
154 | text = '' | ||
155 | if [ -d /var/lib/gitolite ]; then | ||
156 | ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh | ||
157 | fi | ||
158 | ''; | ||
159 | }; | ||
160 | }; | ||
161 | |||
162 | environment.etc."ssh/ldap_authorized_keys" = let | ||
163 | ldap_authorized_keys = | ||
164 | assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; | ||
165 | mylibs.wrap { | ||
166 | name = "ldap_authorized_keys"; | ||
167 | file = ./ldap_authorized_keys.sh; | ||
168 | vars = { | ||
169 | LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; | ||
170 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | ||
171 | ECHO = "${pkgs.coreutils}/bin/echo"; | ||
172 | }; | ||
173 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | ||
174 | }; | ||
175 | in { | ||
176 | enable = true; | ||
177 | mode = "0755"; | ||
178 | user = "root"; | ||
179 | source = ldap_authorized_keys; | ||
121 | }; | 180 | }; |
122 | 181 | ||
123 | services.httpd = let | 182 | services.httpd = let |
diff --git a/virtual/ldap_authorized_keys.sh b/virtual/ldap_authorized_keys.sh new file mode 100755 index 0000000..e8d7a64 --- /dev/null +++ b/virtual/ldap_authorized_keys.sh | |||
@@ -0,0 +1,150 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | LDAPSEARCH=ldapsearch | ||
4 | KEY="immaeSshKey" | ||
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | ||
6 | #LDAP_PASS="password taken from environment" | ||
7 | LDAP_HOST="ldap.immae.eu" | ||
8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | ||
9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" | ||
10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" | ||
11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" | ||
12 | LDAP_BASE="dc=immae,dc=eu" | ||
13 | |||
14 | suitable_for() { | ||
15 | type_for="$1" | ||
16 | key="$2" | ||
17 | |||
18 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
19 | echo "$key" | ||
20 | else | ||
21 | key_type=$(cut -d " " -f 1 <<< "$key") | ||
22 | |||
23 | if grep -q "\b-$type_for\b" <<< "$key_type"; then | ||
24 | echo "" | ||
25 | elif grep -q "\b$type_for\b" <<< "$key_type"; then | ||
26 | echo $(sed -e "s/^[^ ]* //g" <<< "$key") | ||
27 | else | ||
28 | echo "" | ||
29 | fi | ||
30 | fi | ||
31 | } | ||
32 | |||
33 | clean_key_line() { | ||
34 | type_for="$1" | ||
35 | line="$2" | ||
36 | |||
37 | if [[ "$line" == $KEY::* ]]; then | ||
38 | # base64 keys should't happen, unless wrong copy-pasting | ||
39 | key="" | ||
40 | else | ||
41 | key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") | ||
42 | fi | ||
43 | |||
44 | suitable_for "$type_for" "$key" | ||
45 | } | ||
46 | |||
47 | ldap_search() { | ||
48 | $LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" | ||
49 | } | ||
50 | |||
51 | ldap_keys() { | ||
52 | user=$1; | ||
53 | if [[ $user == gitolite ]]; then | ||
54 | ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ | ||
55 | while read line ; | ||
56 | do | ||
57 | if [ ! -z "$line" ]; then | ||
58 | if [[ $line == dn* ]]; then | ||
59 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
60 | if [ -n "$user" ]; then | ||
61 | if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then | ||
62 | # Capitalize first letter (backward compatibility) | ||
63 | user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") | ||
64 | fi | ||
65 | else | ||
66 | # Service fake user | ||
67 | user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") | ||
68 | fi | ||
69 | elif [[ $line == $KEY* ]]; then | ||
70 | key=$(clean_key_line git "$line") | ||
71 | if [ ! -z "$key" ]; then | ||
72 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
73 | echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' | ||
74 | echo $key | ||
75 | fi | ||
76 | fi | ||
77 | fi | ||
78 | fi | ||
79 | done | ||
80 | exit 0 | ||
81 | elif [[ $user == pub ]]; then | ||
82 | ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ | ||
83 | while read line ; | ||
84 | do | ||
85 | if [ ! -z "$line" ]; then | ||
86 | if [[ $line == dn* ]]; then | ||
87 | echo "" | ||
88 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
89 | echo "# $user" | ||
90 | elif [[ $line == $KEY* ]]; then | ||
91 | key=$(clean_key_line pub "$line") | ||
92 | key_forward=$(clean_key_line forward "$line") | ||
93 | if [ ! -z "$key" ]; then | ||
94 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
95 | echo -n 'command="$HOME/bin/restrict '$user'" ' | ||
96 | echo $key | ||
97 | fi | ||
98 | elif [ ! -z "$key_forward" ]; then | ||
99 | if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then | ||
100 | echo "# forward only" | ||
101 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | ||
102 | echo $key_forward | ||
103 | fi | ||
104 | fi | ||
105 | fi | ||
106 | fi | ||
107 | done | ||
108 | |||
109 | echo "" | ||
110 | ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ | ||
111 | while read line ; | ||
112 | do | ||
113 | if [ ! -z "$line" ]; then | ||
114 | if [[ $line == dn* ]]; then | ||
115 | echo "" | ||
116 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
117 | echo "# $user" | ||
118 | elif [[ $line == $KEY* ]]; then | ||
119 | key=$(clean_key_line forward "$line") | ||
120 | if [ ! -z "$key" ]; then | ||
121 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
122 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | ||
123 | echo $key | ||
124 | fi | ||
125 | fi | ||
126 | fi | ||
127 | fi | ||
128 | done | ||
129 | exit 0 | ||
130 | else | ||
131 | ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ | ||
132 | while read line ; | ||
133 | do | ||
134 | if [ ! -z "$line" ]; then | ||
135 | if [[ $line == dn* ]]; then | ||
136 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
137 | elif [[ $line == $KEY* ]]; then | ||
138 | key=$(clean_key_line ssh "$line") | ||
139 | if [ ! -z "$key" ]; then | ||
140 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
141 | echo $key | ||
142 | fi | ||
143 | fi | ||
144 | fi | ||
145 | fi | ||
146 | done | ||
147 | fi | ||
148 | } | ||
149 | |||
150 | ldap_keys $@ | ||
diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/packages/gitolite_ldap_groups.sh new file mode 100755 index 0000000..5f7ef6d --- /dev/null +++ b/virtual/packages/gitolite_ldap_groups.sh | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | uid_param="$1" | ||
4 | ldap_host="ldap.immae.eu" | ||
5 | ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu" | ||
6 | ldap_bindpw="$LDAP_PASS" | ||
7 | ldap_searchbase="dc=immae,dc=eu" | ||
8 | ldap_scope="subtree" | ||
9 | |||
10 | ldap_options="-h ${ldap_host} -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}" | ||
11 | |||
12 | ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))" | ||
13 | ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn | grep 'cn:' | cut -d' ' -f2) | ||
14 | |||
15 | echo "$ldap_result" | ||