diff --git a/bundles/build-agent/metadata.py b/bundles/build-agent/metadata.py index 7738f04..4b5903f 100644 --- a/bundles/build-agent/metadata.py +++ b/bundles/build-agent/metadata.py @@ -27,7 +27,7 @@ def ssh_keys(metadata): 'users': { 'build-agent': { 'authorized_users': { - f'build-server@{other_node.name}' + f'build-server@{other_node.name}': {} for other_node in repo.nodes if other_node.has_bundle('build-server') for architecture in other_node.metadata.get('build-server/architectures').values() diff --git a/bundles/build-ci/metadata.py b/bundles/build-ci/metadata.py index a9bf02b..6d7f726 100644 --- a/bundles/build-ci/metadata.py +++ b/bundles/build-ci/metadata.py @@ -14,7 +14,7 @@ def ssh_keys(metadata): 'users': { 'build-ci': { 'authorized_users': { - f'build-server@{other_node.name}' + f'build-server@{other_node.name}': {} for other_node in repo.nodes if other_node.has_bundle('build-server') }, diff --git a/bundles/download-server/metadata.py b/bundles/download-server/metadata.py index 4fea1cc..d4d7bbc 100644 --- a/bundles/download-server/metadata.py +++ b/bundles/download-server/metadata.py @@ -57,7 +57,7 @@ def ssh_keys(metadata): 'users': { 'downloads': { 'authorized_users': { - f'build-server@{other_node.name}' + f'build-server@{other_node.name}': {} for other_node in repo.nodes if other_node.has_bundle('build-server') }, diff --git a/bundles/monitored/metadata.py b/bundles/monitored/metadata.py index a5c380a..48d9db3 100644 --- a/bundles/monitored/metadata.py +++ b/bundles/monitored/metadata.py @@ -42,7 +42,7 @@ def user(metadata): 'users': { 'sshmon': { 'authorized_users': { - 'nagios@' + metadata.get('monitoring/icinga2_node'), + 'nagios@' + metadata.get('monitoring/icinga2_node'): {}, } }, }, diff --git a/bundles/ssh/metadata.py b/bundles/ssh/metadata.py index b6e3583..99a9b75 100644 --- a/bundles/ssh/metadata.py +++ b/bundles/ssh/metadata.py @@ -19,7 +19,7 @@ def users(metadata): 'allow_users': set( name for name, conf in metadata.get('users').items() - if conf.get('authorized_keys', []) or conf.get('authorized_users', []) + if conf.get('authorized_keys', []) or conf.get('authorized_users', {}) ), }, } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index 3734285..59cf2ca 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -20,11 +20,15 @@ def authorized_users(metadata): users[name] = { 'authorized_keys': set(), } - for authorized_user in config.get('authorized_users', set()): + for authorized_user, options in config.get('authorized_users', {}).items(): authorized_user_name, authorized_user_node = authorized_user.split('@') - users[name]['authorized_keys'].add( - repo.get_node(authorized_user_node).metadata.get(f'users/{authorized_user_name}/pubkey') - ) + authorized_user_public_key = repo.get_node(authorized_user_node).metadata.get(f'users/{authorized_user_name}/pubkey') + + for command in options.get('commands', []): + users[name]['authorized_keys'].add(f'command="{command}" ' + authorized_user_public_key) + else: + users[name]['authorized_keys'].add(authorized_user_public_key) + return { 'users': users, } diff --git a/bundles/wol-sleeper/metadata.py b/bundles/wol-sleeper/metadata.py index 0e056dc..520df53 100644 --- a/bundles/wol-sleeper/metadata.py +++ b/bundles/wol-sleeper/metadata.py @@ -44,6 +44,7 @@ defaults = { @metadata_reactor.provides( + 'wol-sleeper/mac', 'wol-sleeper/wake_command', ) def wake_command(metadata): @@ -53,7 +54,8 @@ def wake_command(metadata): return { 'wol-sleeper': { - 'wake_command': f"ssh -o StrictHostKeyChecking=no wol@{waker_hostname} 'wakeonlan {mac} && while ! ping {ip} -c1 -W3; do true; done'", + 'mac': mac, + 'wake_command': f"ssh -o StrictHostKeyChecking=no wol@{waker_hostname} '/usr/bin/wakeonlan {mac}' && while ! ping {ip} -c1 -W3; do true; done", }, } diff --git a/bundles/wol-waker/metadata.py b/bundles/wol-waker/metadata.py index 610bd3e..203b079 100644 --- a/bundles/wol-waker/metadata.py +++ b/bundles/wol-waker/metadata.py @@ -6,17 +6,25 @@ defaults = { }, } + @metadata_reactor.provides( - 'users/wol', + 'users/wol/authorized_users', ) def user(metadata): return { 'users': { 'wol': { 'authorized_users': { - f'root@{node.name}' - for node in repo.nodes - if node.dummy == False and node.has_bundle('ssh') + f'root@{ssh_client.name}': { + 'commands': { + '/usr/bin/wakeonlan ' + sleeper.metadata.get('wol-sleeper/mac') + for sleeper in repo.nodes + if sleeper.has_bundle('wol-sleeper') + and sleeper.metadata.get('wol-sleeper/waker') == node.name + } + } + for ssh_client in repo.nodes + if ssh_client.dummy == False and ssh_client.has_bundle('ssh') }, }, }, diff --git a/nodes/home.backups.py b/nodes/home.backups.py index d6db346..663195d 100644 --- a/nodes/home.backups.py +++ b/nodes/home.backups.py @@ -38,7 +38,7 @@ }, 'wol-sleeper': { 'network': 'wakeonlan', - 'waker': 'home.server', + 'waker': 'home.router', }, 'zfs-mirror': { 'server': 'wb.offsite-backups', diff --git a/nodes/home.homematic.py b/nodes/home.homematic.py index b716d3f..d9bc021 100644 --- a/nodes/home.homematic.py +++ b/nodes/home.homematic.py @@ -25,7 +25,7 @@ 'users': { 'root': { 'authorized_users': { - 'root@home.server', + 'root@home.server': {}, }, }, }, diff --git a/nodes/home.router.py b/nodes/home.router.py index 8499075..01235a0 100644 --- a/nodes/home.router.py +++ b/nodes/home.router.py @@ -12,6 +12,7 @@ 'kea-dhcpd', 'wireguard', 'pppoe', + 'wol-waker', ], 'metadata': { 'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c', diff --git a/nodes/home.server.py b/nodes/home.server.py index 2edcf1f..d317e79 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -31,7 +31,6 @@ 'systemd-swap', 'twitch-clip-download', 'raspberrymatic-cert', - 'wol-waker', 'zfs', 'routeros-monitoring', ], diff --git a/nodes/wb.offsite-backups.py b/nodes/wb.offsite-backups.py index 0fa1017..9a4c450 100644 --- a/nodes/wb.offsite-backups.py +++ b/nodes/wb.offsite-backups.py @@ -29,7 +29,7 @@ 'users': { 'root': { 'authorized_users': { - 'root@home.backups', + 'root@home.backups': {}, }, }, },