From 254af0c72bfc391257b6e2e392510935eb8e6dde Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 6 Feb 2022 20:34:17 +0100 Subject: [PATCH] raspberrymatic-cert --- bundles/hostname/items.py | 4 +-- bundles/hostname/metadata.py | 9 ++++++ bundles/letsencrypt/files/hook.sh | 3 ++ .../files/raspberrymatic-cert | 6 ++++ bundles/raspberrymatic-cert/items.py | 10 ++++++ bundles/raspberrymatic-cert/metadata.py | 32 +++++++++++++++++++ bundles/users/items.py | 12 ++++--- groups/all.py | 3 -- groups/os/linux.py | 7 ++++ groups/os/raspberrymatic.py | 21 ++++++++++++ nodes/home.homematic.py | 17 ++++++++-- nodes/home.server.py | 5 +++ requirements.txt | 2 +- 13 files changed, 118 insertions(+), 13 deletions(-) create mode 100644 bundles/raspberrymatic-cert/files/raspberrymatic-cert create mode 100644 bundles/raspberrymatic-cert/items.py create mode 100644 bundles/raspberrymatic-cert/metadata.py create mode 100644 groups/os/raspberrymatic.py diff --git a/bundles/hostname/items.py b/bundles/hostname/items.py index 74d4999..ad962b5 100644 --- a/bundles/hostname/items.py +++ b/bundles/hostname/items.py @@ -1,4 +1,4 @@ -files['/etc/hostname'] = { +files[node.metadata.get('hostname_file')] = { 'content': node.metadata.get('hostname'), 'triggers': [ 'action:update_hostname', @@ -6,6 +6,6 @@ files['/etc/hostname'] = { } actions["update_hostname"] = { - "command": "hostname -F /etc/hostname", + "command": f"hostname -F {node.metadata.get('hostname_file')}", 'triggered': True, } diff --git a/bundles/hostname/metadata.py b/bundles/hostname/metadata.py index 7cb78a4..f92f528 100644 --- a/bundles/hostname/metadata.py +++ b/bundles/hostname/metadata.py @@ -8,6 +8,15 @@ defaults = { } +@metadata_reactor.provides( + 'hostname_file', +) +def hostname_file(metadata): + return { + 'hostname_file': node.metadata.get('hostname_file', '/etc/hostname'), + } + + @metadata_reactor.provides( 'dns', ) diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh index f08509d..ca33f8a 100644 --- a/bundles/letsencrypt/files/hook.sh +++ b/bundles/letsencrypt/files/hook.sh @@ -43,6 +43,9 @@ deploy_cert() { % for service in sorted(conf.get('reload', [])): systemctl reload-or-restart ${service} % endfor + % for service in sorted(conf.get('start', [])): + systemctl start ${service} + % endfor ;; % endfor esac diff --git a/bundles/raspberrymatic-cert/files/raspberrymatic-cert b/bundles/raspberrymatic-cert/files/raspberrymatic-cert new file mode 100644 index 0000000..8aae3c6 --- /dev/null +++ b/bundles/raspberrymatic-cert/files/raspberrymatic-cert @@ -0,0 +1,6 @@ +#!/bin/bash + +cat /var/lib/dehydrated/certs/${domain}/privkey.pem /var/lib/dehydrated/certs/${domain}/cert.pem ${'\\'} + | ssh -o StrictHostKeyChecking=no root@${hostname} 'cat > /etc/config/server.pem' ${'\\'} + && ssh -o StrictHostKeyChecking=no root@${hostname} 'chmod 600 /etc/config/server.pem' ${'\\'} + && ssh -o StrictHostKeyChecking=no root@${hostname} '/etc/init.d/S50lighttpd reload' ${'\\'} diff --git a/bundles/raspberrymatic-cert/items.py b/bundles/raspberrymatic-cert/items.py new file mode 100644 index 0000000..d248666 --- /dev/null +++ b/bundles/raspberrymatic-cert/items.py @@ -0,0 +1,10 @@ +files = { + '/opt/raspberrymatic-cert': { + 'content_type': 'mako', + 'mode': '500', + 'context': { + 'domain': node.metadata.get('raspberrymatic-cert/domain'), + 'hostname': repo.get_node(node.metadata.get('raspberrymatic-cert/node')).metadata.get('hostname'), + } + } +} diff --git a/bundles/raspberrymatic-cert/metadata.py b/bundles/raspberrymatic-cert/metadata.py new file mode 100644 index 0000000..2cc3eed --- /dev/null +++ b/bundles/raspberrymatic-cert/metadata.py @@ -0,0 +1,32 @@ +from shlex import quote + + +@metadata_reactor.provides( + 'letsencrypt/domains', +) +def letsencrypt(metadata): + return { + 'letsencrypt': { + 'domains': { + metadata.get('raspberrymatic-cert/domain'): { + 'start': ['raspberrymatic-cert'], + }, + }, + }, + } + + +@metadata_reactor.provides( + 'systemd-timers/raspberrymatic-cert', +) +def systemd_timers(metadata): + domain = metadata.get('raspberrymatic-cert/domain') + + return { + 'systemd-timers': { + 'raspberrymatic-cert': { + 'command': '/opt/raspberrymatic-cert', + 'when': 'daily', + } + }, + } diff --git a/bundles/users/items.py b/bundles/users/items.py index 749bc41..b194684 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -7,14 +7,16 @@ for name, config in node.metadata.get('users').items(): 'group': config.get('home_group', name), 'mode': config.get('home_mode', '700'), } + + ssh_dir = config.get('ssh_dir', f"{config['home']}/.ssh") - directories[f"{config['home']}/.ssh"] = { + directories[ssh_dir] = { 'owner': config.get('home_owner', name), 'group': config.get('home_group', name), 'mode': '0700', } - files[f"{config['home']}/.ssh/id_{config['keytype']}"] = { + files[f"{ssh_dir}/id_{config['keytype']}"] = { 'content': config['privkey'] + '\n', 'owner': name, 'mode': '0600', @@ -22,7 +24,7 @@ for name, config in node.metadata.get('users').items(): 'ssh_users', ], } - files[f"{config['home']}/.ssh/id_{config['keytype']}.pub"] = { + files[f"{ssh_dir}/id_{config['keytype']}.pub"] = { 'content': config['pubkey'] + '\n', 'owner': name, 'mode': '0600', @@ -30,7 +32,7 @@ for name, config in node.metadata.get('users').items(): 'ssh_users', ], } - files[config['home'] + '/.ssh/authorized_keys'] = { + files[f"{ssh_dir}/authorized_keys"] = { 'content': '\n'.join(sorted(config['authorized_keys'])) + '\n', 'owner': name, 'mode': '0600', @@ -40,5 +42,5 @@ for name, config in node.metadata.get('users').items(): } users[name] = config - for option in ['authorized_keys', 'authorized_users', 'privkey', 'pubkey', 'keytype', 'home_owner', 'home_group', 'home_mode']: + for option in ['authorized_keys', 'authorized_users', 'privkey', 'pubkey', 'keytype', 'home_owner', 'home_group', 'home_mode', 'ssh_dir']: users[name].pop(option, None) diff --git a/groups/all.py b/groups/all.py index a0ff062..ee902fc 100644 --- a/groups/all.py +++ b/groups/all.py @@ -1,9 +1,7 @@ { 'bundles': [ - 'sudo', 'system', 'users', - 'zsh', ], 'metadata': { 'dns': {}, @@ -12,7 +10,6 @@ }, 'users': { 'root': { - 'shell': '/usr/bin/zsh', 'authorized_keys': { 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEU1l2ijW3ZqzFGZcdWg2ESgTGehdNfBTfafxsjWvWdS mwiegand@macbook', }, diff --git a/groups/os/linux.py b/groups/os/linux.py index f86b8bf..479482e 100644 --- a/groups/os/linux.py +++ b/groups/os/linux.py @@ -8,11 +8,13 @@ 'locale', 'network', 'ssh', + 'sudo', 'systemd', 'systemd-journald', 'systemd-networkd', 'systemd-mount', 'systemd-timers', + 'zsh', ], 'metadata': { 'systemd-timers': { @@ -27,5 +29,10 @@ 'secondary.resolver.name', ], }, + 'users': { + 'root': { + 'shell': '/usr/bin/zsh', + }, + }, }, } diff --git a/groups/os/raspberrymatic.py b/groups/os/raspberrymatic.py new file mode 100644 index 0000000..e22db84 --- /dev/null +++ b/groups/os/raspberrymatic.py @@ -0,0 +1,21 @@ +{ + 'supergroups': [ + 'all', + ], + 'bundles': [ + 'users', + ], + 'metadata': { + 'users': { + 'root': { + 'password': None, + 'shell': '/bin/sh', + 'ssh_dir': '/usr/local/etc/ssh', + }, + }, + 'hostname_file': '/var/etc/hostname', + }, + 'cmd_wrapper_outer': 'sh -c {}', + 'cmd_wrapper_inner': '{}', + 'lock_dir': '/tmp/bundlewrap', +} diff --git a/nodes/home.homematic.py b/nodes/home.homematic.py index 3e436f1..78a42ec 100644 --- a/nodes/home.homematic.py +++ b/nodes/home.homematic.py @@ -1,7 +1,13 @@ { - 'dummy': True, + 'hostname': '10.0.2.8', + 'groups': [ + 'raspberrymatic', + ], + 'bundles': [ + 'hostname', + ], 'metadata': { - 'id': '', + 'id': 'cc1c08ba-8a2e-4cda-9b82-1b88a940e8e8', 'network': { 'internal': { 'ipv4': '10.0.2.8/24', @@ -12,5 +18,12 @@ 'A': {'10.0.2.8'}, }, }, + 'users': { + 'root': { + 'authorized_users': { + 'root@home.server', + }, + }, + }, }, } diff --git a/nodes/home.server.py b/nodes/home.server.py index e449c5f..22557c9 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -24,6 +24,7 @@ 'wireguard', 'zfs', 'crystal', + 'raspberrymatic-cert', 'tasmota-charge', ], 'metadata': { @@ -86,6 +87,10 @@ 'unsortable': 'SofortUpload/Unsortable', }, }, + 'raspberrymatic-cert': { + 'domain': 'homematic.ckn.li', + 'node': 'home.homematic', + }, 'tasmota-charge': { 'phone': { 'ip': '10.0.0.166', diff --git a/requirements.txt b/requirements.txt index 8280d8b..0491d7d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -bundlewrap>=4.13.1 +bundlewrap>=4.13.6 pycryptodome PyNaCl PyYAML