diff --git a/bundles/users/items.py b/bundles/users/items.py index 6e5382e..bde0177 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -1,35 +1,29 @@ -from os.path import join, exists +for group, config in node.metadata.get('groups', {}).items(): + groups[group] = config -for group, attrs in node.metadata.get('groups', {}).items(): - groups[group] = attrs - -for username, attrs in node.metadata['users'].items(): - home = attrs.get('home', '/home/{}'.format(username)) - - user = users.setdefault(username, {}) - - user['home'] = home - user['shell'] = attrs.get('shell', '/bin/bash') - - if 'password' in attrs: - user['password'] = attrs['password'] - else: - user['password_hash'] = 'x' if node.use_shadow_passwords else '*' - - if 'groups' in attrs: - user['groups'] = attrs['groups'] - - directories[home] = { - 'owner': username, - 'mode': attrs.get('home-mode', '0700'), +for name, config in node.metadata.get('users').items(): + users[name] = { + k:v for k,v in config.items() if k in [ + "full_name", "gid", "groups", "home", "password_hash", "shell", "uid", + ] } - if 'ssh_pubkey' in attrs: - files[home + '/.ssh/authorized_keys'] = { - 'content': '\n'.join(sorted(attrs['ssh_pubkey'])) + '\n', - 'owner': username, - 'mode': '0600', - } + directories[config['home']] = { + 'owner': name, + } - elif not attrs.get('do_not_remove_authorized_keys_from_home', False): - files[home + '/.ssh/authorized_keys'] = {'delete': True} + files[f"{config['home']}/.ssh/id_{config['keytype']}"] = { + 'content': config['privkey'], + 'owner': name, + 'mode': '0600', + } + files[f"{config['home']}/.ssh/id_{config['keytype']}.pub"] = { + 'content': config['pubkey'], + 'owner': name, + 'mode': '0600', + } + files[config['home'] + '/.ssh/authorized_keys'] = { + 'content': '\n'.join(sorted(config['authorized_keys'])), + 'owner': name, + 'mode': '0600', + } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index b22786a..aec3ed5 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -13,18 +13,30 @@ defaults = { @metadata_reactor.provides( 'users', ) -def users(metadata): +def user(metadata): users = {} - for name in metadata.get('users'): - privkey, pubkey = repo.libs.ssh.generate_ad25519_key_pair( - b64decode(str(repo.vault.random_bytes_as_base64_for(metadata.get('id'), length=32))) - ) + for name, config in metadata.get('users').items(): users[name] = { - 'home': f'/home/{name}', - 'privkey': privkey, - 'pubkey': pubkey, + 'authorized_keys': [] } + + if not 'home' in config: + users[name]['home'] = f'/home/{name}' + + if not 'shell' in config: + users[name]['shell'] = '/bin/bash' + + if not 'password_hash' in config: + users[name]['password_hash'] = 'x' if node.use_shadow_passwords else '*' + + if not 'privkey' in users[name]: + privkey, pubkey = repo.libs.ssh.generate_ad25519_key_pair( + b64decode(str(repo.vault.random_bytes_as_base64_for(metadata.get('id'), length=32))) + ) + users[name]['keytype'] = 'ed25519' + users[name]['privkey'] = privkey + users[name]['pubkey'] = pubkey + f' {name}@{node.name}' return { 'users': users, diff --git a/groups/all.py b/groups/all.py index 0318471..a494e82 100644 --- a/groups/all.py +++ b/groups/all.py @@ -8,5 +8,12 @@ 'server': 'backups.sublimity.de', }, 'dns': {}, + 'users': { + 'root': { + 'authorized_keys': [ + 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEU1l2ijW3ZqzFGZcdWg2ESgTGehdNfBTfafxsjWvWdS mwiegand@macbook', + ], + }, + }, } } diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index a9f6cdb..cf8285a 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -78,6 +78,9 @@ 'version': '1.4.11', 'installer': True, }, + 'users': { + 'test': {}, + }, 'vm': { 'cpu': 2, },