From 824b3faaae5322c68019bca83c423613fe343101 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Fri, 11 Feb 2022 14:36:47 +0100 Subject: [PATCH] Added fds.in. --- sources/fds.in/c3d/firstboot/data/USERS.txt | 15 +++ sources/fds.in/c3d/firstboot/data/user.inf | 92 +++++++++++++++ .../firstboot/scripts/01_setupnetworking.sh | 58 ++++++++++ .../c3d/firstboot/scripts/02_settimezone.sh | 21 ++++ .../c3d/firstboot/scripts/10_setupds.sh | 21 ++++ .../c3d/firstboot/scripts/11_createusers.sh | 109 ++++++++++++++++++ .../c3d/firstboot/scripts/90_setupservices.sh | 11 ++ sources/fds.in/c3d/mode.txt | 7 ++ sources/fds.in/c3d/owner.txt | 3 + .../fds.in/c3d/postinstall/data/template.inf | 93 +++++++++++++++ .../install-data/etc/ssh/ssh_host_ed25519_key | 7 ++ .../etc/ssh/ssh_host_ed25519_key-cert.pub | 1 + .../etc/ssh/ssh_host_ed25519_key.pub | 1 + .../etc/ssh/sshd_config.d/99-host-cert.conf | 1 + .../etc/ssh/sshd_config.d/99-user-CA.conf | 1 + .../install-data/etc/ssh/trusted-user-ca.keys | 1 + .../install-data/usr/local/bin/backupfds.sh | 55 +++++++++ .../install-data/usr/local/bin/restorefds.sh | 66 +++++++++++ sources/fds.in/c3d/postinstall/scp/copy.list | 2 + .../c3d/postinstall/scripts/01_editfiles.sh | 6 + .../postinstall/scripts/10_setupservices.sh | 8 ++ sources/fds.in/c3d/postinstall/ssh/run.list | 2 + sources/fds.in/config | 21 ++++ sources/fds.in/envvars | 3 + 24 files changed, 605 insertions(+) create mode 100644 sources/fds.in/c3d/firstboot/data/USERS.txt create mode 100644 sources/fds.in/c3d/firstboot/data/user.inf create mode 100755 sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh create mode 100755 sources/fds.in/c3d/firstboot/scripts/02_settimezone.sh create mode 100755 sources/fds.in/c3d/firstboot/scripts/10_setupds.sh create mode 100755 sources/fds.in/c3d/firstboot/scripts/11_createusers.sh create mode 100755 sources/fds.in/c3d/firstboot/scripts/90_setupservices.sh create mode 100644 sources/fds.in/c3d/mode.txt create mode 100644 sources/fds.in/c3d/owner.txt create mode 100644 sources/fds.in/c3d/postinstall/data/template.inf create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf create mode 100644 sources/fds.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys create mode 100755 sources/fds.in/c3d/postinstall/install-data/usr/local/bin/backupfds.sh create mode 100755 sources/fds.in/c3d/postinstall/install-data/usr/local/bin/restorefds.sh create mode 100644 sources/fds.in/c3d/postinstall/scp/copy.list create mode 100755 sources/fds.in/c3d/postinstall/scripts/01_editfiles.sh create mode 100755 sources/fds.in/c3d/postinstall/scripts/10_setupservices.sh create mode 100644 sources/fds.in/c3d/postinstall/ssh/run.list create mode 100644 sources/fds.in/config create mode 100644 sources/fds.in/envvars diff --git a/sources/fds.in/c3d/firstboot/data/USERS.txt b/sources/fds.in/c3d/firstboot/data/USERS.txt new file mode 100644 index 0000000..f898685 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/data/USERS.txt @@ -0,0 +1,15 @@ +akosztolanyi, Árpád, Kosztolányi, arpad.kosztolanyi@userrendszerhaz.hu, +36 20 583 7539 +csgulyas, Csaba, Gulyás, csaba.gulyas@userrendszerhaz.hu, +36 30 374 4065 +cslevai, Csilla, Lévai, csilla.levai@userrendszerhaz.hu, +36 30 280 8517 +dhorvath, Dénes, Horváth, denes.horvath@userrendszerhaz.hu, +36 30 971 8563 +dvasary, Dániel, Vásáry, daniel.vasary@userrendszerhaz.hu, +36 30 515 9417 +fritter, Ferenc, Ritter, ferenc.ritter@userrendszerhaz.hu, +36 20 937 8022 +fschnell, Ferenc, Schnellbach, ferenc.schnellbach@userrendszerhaz.hu, +36 30 950 2529 +khorvath, Kálmán, Horváth, kalman.horvath@userrendszerhaz.hu, +36 20 444 8693 +kkancz, Krisztián, Káncz, krisztian.kancz@userrendszerhaz.hu, +36 70 666 2663 +kvajda, Krisztina, Vajda, krisztina.vajda@userrendszerhaz.hu, +36 20 313 0028 +mszabo, Marcell, Szabó, marcell.szabo@userrendszerhaz.hu, +36 70 458 1234 +osweidan, Omár, Sweidan, omar.sweidan@userrendszerhaz.hu, +36 70 382 4621 +rrendek, Róbert, Rendek, robert.rendek@userrendszerhaz.hu, +36 30 977 5888 +tlevai, Tibor, Lévai, tibor.levai@userrendszerhaz.hu, +36 30 297 6481 +zfelleg, Zoltán, Felleg, zoltan.felleg@userrendszerhaz.hu, +36 20 954 1513 diff --git a/sources/fds.in/c3d/firstboot/data/user.inf b/sources/fds.in/c3d/firstboot/data/user.inf new file mode 100644 index 0000000..d9e83c6 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/data/user.inf @@ -0,0 +1,92 @@ + +; +; This is a version 2 ds setup inf file. +; It is used by the python versions of setup-ds-* +; Most options map 1 to 1 to the original .inf file. +; However, there are some differences that I envision +; For example, note the split backend section. +; You should be able to create, one, many or no backends in an install +; +; The special value {instance_name} is substituted at installation time. +; +; By default, all configuration parameters in this file are commented out. +; To use an INF file with dscreate, you must at least set the parameters +; flagged with [REQUIRED]. + +[general] +# defaults (str) +# Description: Directory Server enables administrators to use the default values for cn=config entries from a specific version. If you set this parameter to "999999999", which is the default, the instance always uses the default values of the latest version. For example, to configure that the instance uses default values from version 1.3.5, set this parameter to "001003005". The format of this value is XXXYYYZZZ, where X is the major version, Y the minor version, and Z the patch level. Note that each part of the value uses 3 digits and must be filled with leading zeros if necessary. +# Default value: 999999999 +;defaults = 999999999 + +# full_machine_name (str) +# Description: Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set "strict_host_checking" to "false". +# Default value: fds.in.useribm.hu +;full_machine_name = fds.in.useribm.hu + +# start (bool) +# Description: Starts the instance after the install completes. If false, the instance is created but started. +# Default value: True +;start = True + +# strict_host_checking (bool) +# Description: Sets whether the server verifies the forward and reverse record set in the "full_machine_name" parameter. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to "false". Container installs imply "false". +# Default value: False +;strict_host_checking = False + +[slapd] +# instance_name (str) +# Description: Sets the name of the instance. You can refer to this value in other parameters of this INF file using the "{instance_name}" variable. Note that this name cannot be changed after the installation! +# Default value: localhost +instance_name = user + +# ldapi (str) +# Description: Sets the location of socket interface of the Directory Server. +# Default value: /run/slapd-{instance_name}.socket +;ldapi = /run/slapd-{instance_name}.socket + +# port (int) +# Description: Sets the TCP port the instance uses for LDAP connections. +# Default value: 389 +;port = 389 + +# root_password (str) +# Description: Sets the password of the "cn=Directory Manager" account ("root_dn" parameter).You can either set this parameter to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. The password must be at least 8 characters long. Note that setting a plain text password can be a security risk if unprivileged users can read this INF file! +# Default value: Directory_Manager_Password +root_password = Passw@rd01 + +# secure_port (int) +# Description: Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS). +# Default value: 636 +;secure_port = 636 + +# self_sign_cert (bool) +# Description: Sets whether the setup creates a self-signed certificate and enables TLS encryption during the installation. The certificate is not suitable for production, but it enables administrators to use TLS right after the installation. You can replace the self-signed certificate with a certificate issued by a Certificate Authority. If set to False, you can enable TLS later by importing a CA/Certificate and enabling 'dsconf config replace nsslapd-security=on' +# Default value: True +;self_sign_cert = True + +# self_sign_cert_valid_months (int) +# Description: Set the number of months the issued self-signed certificate will be valid. +# Default value: 24 +;self_sign_cert_valid_months = 24 + +[backend-userroot] +# create_suffix_entry (bool) +# Description: Set this parameter to "True" to create a generic root node entry for the suffix in the database. +# Default value: False +create_suffix_entry = True + +# require_index (bool) +# Description: Set this parameter to "True" to refuse unindexed searches in this database. +# Default value: False +;require_index = False + +# sample_entries (str) +# Description: Set this parameter to 'yes' to add latest version of sample entries to this database. Or, use '001003006' to use the 1.3.6 version sample entries. Use this option, for example, to create a database for testing purposes. +# Default value: no +sample_entries = yes + +# suffix (str) +# Description: Sets the root suffix stored in this database. If you do not uncomment and set the suffix attribute the install process will NOT create the backend/suffix. You can also create multiple backends/suffixes by duplicating this section. +# Default value: +suffix = dc=user,dc=hu diff --git a/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh new file mode 100755 index 0000000..330f360 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/scripts/01_setupnetworking.sh @@ -0,0 +1,58 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +if [ $CONNECTIONS -ne 1 ] +then + echo "Number of connections: $CONNECTIONS" >&2 + exit 1 +fi + +nmcli --terse connection show | grep ':$' >/dev/null +ALL_CONNECTION_DEVICES_KNOWN=$? +while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ] +do + echo "Not all connection devices are known yet" >&2 + sleep 1 + nmcli --terse connection show | grep ':$' >/dev/null + ALL_CONNECTION_DEVICES_KNOWN=$? +done + +CONNECTION_LINE=$(nmcli --terse connection show) +CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') +CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':') + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $CONNECTION_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.109.64/16" \ + ipv4.dns "10.228.109.159, 10.228.92.159" \ + ipv4.dns-search "in.useribm.hu" \ + ipv4.gateway "10.228.109.254" \ + ipv4.method "manual" \ + ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:6d40/64" \ + ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:6d9f, 2a02:d400:0000:f268:000c:18ff:fe03:5c9f" \ + ipv6.dns-search "in.useribm.hu" \ + ipv6.gateway "2a02:d400:0000:f268:000c:18ff:fe03:6dfe" \ + ipv6.method "manual" \ + save yes + +nmcli connection delete uuid "$CONNECTION_UUID" + +nmcli connection show diff --git a/sources/fds.in/c3d/firstboot/scripts/02_settimezone.sh b/sources/fds.in/c3d/firstboot/scripts/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/scripts/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh b/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh new file mode 100755 index 0000000..22b77b6 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/scripts/10_setupds.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) +DATA_PATH=$(realpath $REAL_PATH/../data) + + +/usr/local/bin/restorefds.sh +if [ $? -eq 0 ] +then + exit 0 +fi + +if [ ! -f $DATA_PATH/user.inf ] +then + dscreate create-template $DATA_PATH/user.inf + vi $DATA_PATH/user.inf +fi + +dscreate from-file $DATA_PATH/user.inf +dsconf user plugin memberof enable diff --git a/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh b/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh new file mode 100755 index 0000000..5ab61b8 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/scripts/11_createusers.sh @@ -0,0 +1,109 @@ +#!/bin/sh +set -x +exit 0 + + +REAL_PATH=$(realpath $(dirname $0)) +DATA_PATH=$(realpath $REAL_PATH/../data) +FDS_INPUT_FILE=$DATA_PATH/FDS_INPUT.txt +UIDS_FILE=$DATA_PATH/UIDS.txt +USERS_FILE=$DATA_PATH/USERS.txt + + +>$FDS_INPUT_FILE +>$UIDS_FILE +cat $USERS_FILE | while read LINE +do + COMPACT_LINE=$(echo $LINE | sed 's/, /,/g') + LOGIN_NAME=$(echo $COMPACT_LINE | cut -f 1 -d ',') + LOGIN_MD5SUM=$(echo $LOGIN_NAME | md5sum | awk '{print $1}') + UID_POSITION=30 + UID_IS_UNIQUE=0 + while [ $UID_IS_UNIQUE -eq 0 ] + do + LOGIN_UID=$(echo $LOGIN_MD5SUM | cut -c ${UID_POSITION}- | cut -c 1-3) + grep $LOGIN_UID $UIDS_FILE >/dev/null 2>&1 + if [ $? -eq 1 ] + then + INT_UID=$(python -c "print(10000 + int('$LOGIN_UID', 16))") + echo $LOGIN_UID >>$UIDS_FILE + echo "${INT_UID},$COMPACT_LINE" >>$FDS_INPUT_FILE + UID_IS_UNIQUE=1 + else + UID_POSITION=$(( $UID_POSITION - 1 )) + echo "$LOGIN_NAME has been shifted to $UID_POSITION" + if [ $UID_POSITION -eq 0 ] + then + echo "Cannot generate unique uid for $LOGIN_NAME" >&2 + exit 1 + fi + fi + done +done + +cat $FDS_INPUT_FILE | while read INPUT_LINE +do + LOGIN_UID=$(echo $INPUT_LINE | cut -f 1 -d ',') + LOGIN_NAME=$(echo $INPUT_LINE | cut -f 2 -d ',') + FIRSTNAME=$(echo $INPUT_LINE | cut -f 3 -d ',') + LASTNAME=$(echo $INPUT_LINE | cut -f 4 -d ',') + EMAIL_ADDRESS=$(echo $INPUT_LINE | cut -f 5 -d ',') + MOBILE_NUMBER=$(echo $INPUT_LINE | cut -f 6 -d ',') + + dsidm -b dc=user,dc=hu \ + user \ + group \ + create \ + --cn $LOGIN_NAME + + LDIF_FILE=$(mktemp) + echo "dn: cn=${LOGIN_NAME},ou=groups,dc=user,dc=hu" >$LDIF_FILE + echo "changetype: modify" >>$LDIF_FILE + echo "add: objectClass" >>$LDIF_FILE + echo "objectClass: posixGroup" >>$LDIF_FILE + echo "-" >>$LDIF_FILE + echo "add: gidNumber" >>$LDIF_FILE + echo "gidNumber: $LOGIN_UID" >>$LDIF_FILE + + ldapmodify -D "cn=Directory Manager" \ + -w Passw@rd01 \ + -f $LDIF_FILE + + rm --force $LDIF_FILE + + dsidm -b dc=user,dc=hu \ + user \ + user \ + create \ + --uid $LOGIN_NAME \ + --cn $LOGIN_NAME \ + --displayName "$FIRSTNAME $LASTNAME" \ + --uidNumber $LOGIN_UID \ + --gidNumber $LOGIN_UID \ + --homeDirectory /home/$LOGIN_NAME + + LDIF_FILE=$(mktemp) + echo "dn: uid=${LOGIN_NAME},ou=people,dc=user,dc=hu" >$LDIF_FILE + echo "changetype: modify" >>$LDIF_FILE + echo "add: mail" >>$LDIF_FILE + echo "mail: $EMAIL_ADDRESS" >>$LDIF_FILE + echo "-" >>$LDIF_FILE + echo "add: mobile" >>$LDIF_FILE + echo "mobile: $MOBILE_NUMBER" >>$LDIF_FILE + echo "-" >>$LDIF_FILE + echo "add: userPassword" >>$LDIF_FILE + echo "userPassword: pwd" >>$LDIF_FILE + + ldapmodify -D "cn=Directory Manager" \ + -w Passw@rd01 \ + -f $LDIF_FILE + + rm --force $LDIF_FILE + + dsidm -b dc=user,dc=hu \ + user \ + group \ + add_member \ + $LOGIN_NAME \ + uid=${LOGIN_NAME},ou=people,dc=user,dc=hu +done diff --git a/sources/fds.in/c3d/firstboot/scripts/90_setupservices.sh b/sources/fds.in/c3d/firstboot/scripts/90_setupservices.sh new file mode 100755 index 0000000..91d07a1 --- /dev/null +++ b/sources/fds.in/c3d/firstboot/scripts/90_setupservices.sh @@ -0,0 +1,11 @@ +#!/bin/sh + + +systemctl enable NetworkManager-wait-online.service +systemctl start NetworkManager-wait-online.service + +systemctl enable cockpit.socket +systemctl start cockpit.socket + +systemctl enable logrotate.timer +systemctl start logrotate.timer diff --git a/sources/fds.in/c3d/mode.txt b/sources/fds.in/c3d/mode.txt new file mode 100644 index 0000000..6ae0dac --- /dev/null +++ b/sources/fds.in/c3d/mode.txt @@ -0,0 +1,7 @@ +# mode file (relative to /c3d) +755 firstboot/scripts/*.sh +440 postinstall/install-data/etc/ssh/ssh_host_*_key +444 postinstall/install-data/etc/ssh/ssh_host_*_key.pub +600 postinstall/install-data/etc/ssh/sshd_config.d/*.conf +755 postinstall/install-data/usr/local/bin/*.sh +755 postinstall/scripts/*.sh diff --git a/sources/fds.in/c3d/owner.txt b/sources/fds.in/c3d/owner.txt new file mode 100644 index 0000000..aac9818 --- /dev/null +++ b/sources/fds.in/c3d/owner.txt @@ -0,0 +1,3 @@ +# owner file (relative to /c3d) +# shell globbing does not work +root.ssh_keys postinstall/install-data/etc/ssh/ssh_host_ed25519_key diff --git a/sources/fds.in/c3d/postinstall/data/template.inf b/sources/fds.in/c3d/postinstall/data/template.inf new file mode 100644 index 0000000..f80a62f --- /dev/null +++ b/sources/fds.in/c3d/postinstall/data/template.inf @@ -0,0 +1,93 @@ + +; +; This is a version 2 ds setup inf file. +; It is used by the python versions of setup-ds-* +; Most options map 1 to 1 to the original .inf file. +; However, there are some differences that I envision +; For example, note the split backend section. +; You should be able to create, one, many or no backends in an install +; +; The special value {instance_name} is substituted at installation time. +; +; By default, all configuration parameters in this file are commented out. +; To use an INF file with dscreate, you must at least set the parameters +; flagged with [REQUIRED]. + +[general] +# defaults (str) +# Description: Directory Server enables administrators to use the default values for cn=config entries from a specific version. If you set this parameter to "999999999", which is the default, the instance always uses the default values of the latest version. For example, to configure that the instance uses default values from version 1.3.5, set this parameter to "001003005". The format of this value is XXXYYYZZZ, where X is the major version, Y the minor version, and Z the patch level. Note that each part of the value uses 3 digits and must be filled with leading zeros if necessary. +# Default value: 999999999 +;defaults = 999999999 + +# full_machine_name (str) +# Description: Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set "strict_host_checking" to "false". +# Default value: fds.in.useribm.hu +;full_machine_name = fds.in.useribm.hu + +# start (bool) +# Description: Starts the instance after the install completes. If false, the instance is created but started. +# Default value: True +start = False + +# strict_host_checking (bool) +# Description: Sets whether the server verifies the forward and reverse record set in the "full_machine_name" parameter. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to "false". Container installs imply "false". +# Default value: False +;strict_host_checking = False + +[slapd] +# instance_name (str) +# Description: Sets the name of the instance. You can refer to this value in other parameters of this INF file using the "{instance_name}" variable. Note that this name cannot be changed after the installation! +# Default value: localhost +instance_name = __INSTANCE__ + +# ldapi (str) +# Description: Sets the location of socket interface of the Directory Server. +# Default value: /run/slapd-{instance_name}.socket +;ldapi = /run/slapd-{instance_name}.socket + +# port (int) +# Description: Sets the TCP port the instance uses for LDAP connections. +# Default value: 389 +;port = 389 + +# root_password (str) +# Description: Sets the password of the "cn=Directory Manager" account ("root_dn" parameter).You can either set this parameter to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. The password must be at least 8 characters long. Note that setting a plain text password can be a security risk if unprivileged users can read this INF file! +# Default value: Directory_Manager_Password +root_password = Passw@rd01 + +# secure_port (int) +# Description: Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS). +# Default value: 636 +;secure_port = 636 + +# self_sign_cert (bool) +# Description: Sets whether the setup creates a self-signed certificate and enables TLS encryption during the installation. The certificate is not suitable for production, but it enables administrators to use TLS right after the installation. You can replace the self-signed certificate with a certificate issued by a Certificate Authority. If set to False, you can enable TLS later by importing a CA/Certificate and enabling 'dsconf config replace nsslapd-security=on' +# Default value: True +;self_sign_cert = True + +# self_sign_cert_valid_months (int) +# Description: Set the number of months the issued self-signed certificate will be valid. +# Default value: 24 +;self_sign_cert_valid_months = 24 + +[backend-userroot] +# create_suffix_entry (bool) +# Description: Set this parameter to "True" to create a generic root node entry for the suffix in the database. +# Default value: False +create_suffix_entry = True + +# require_index (bool) +# Description: Set this parameter to "True" to refuse unindexed searches in this database. +# Default value: False +;require_index = False + +# sample_entries (str) +# Description: Set this parameter to 'yes' to add latest version of sample entries to this database. Or, use '001003006' to use the 1.3.6 version sample entries. Use this option, for example, to create a database for testing purposes. +# Default value: no +sample_entries = yes + +# suffix (str) +# Description: Sets the root suffix stored in this database. If you do not uncomment and set the suffix attribute the install process will NOT create the backend/suffix. You can also create multiple backends/suffixes by duplicating this section. +# Default value: +suffix = dc=template,dc=instance + diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..2f1f00e --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACDRTBjwMecuCiYxGgcoySLtkGmK+jk8JzFyHiq3KspdPQAAAIgJfb9NCX2/ +TQAAAAtzc2gtZWQyNTUxOQAAACDRTBjwMecuCiYxGgcoySLtkGmK+jk8JzFyHiq3KspdPQ +AAAED1gyRXOQ9wxak/0h7Xf7fmfv0y243k6jBRBE2RLfl1HtFMGPAx5y4KJjEaByjJIu2Q +aYr6OTwnMXIeKrcqyl09AAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..fb71b84 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIXMMHDJY1dFtR3YZiRFeGPQQh9KJbLIzG6wc7WOZ644AAAAINFMGPAx5y4KJjEaByjJIu2QaYr6OTwnMXIeKrcqyl09AAAAAAAAAAAAAAACAAAAEWZkcy5pbi51c2VyaWJtLmh1AAAAFQAAABFmZHMuaW4udXNlcmlibS5odQAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAvBMtWdglpRWWQaP8S0mTS3yh+MeguVTCGVavzQ/8f9V6V48/1c+DdloQfadJfRaH/RUnUT4tIaXRY3o3PVnsP ssh_host_ed25519_key.pub diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..6276c28 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFMGPAx5y4KJjEaByjJIu2QaYr6OTwnMXIeKrcqyl09 diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf new file mode 100644 index 0000000..173b545 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-host-cert.conf @@ -0,0 +1 @@ +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf new file mode 100644 index 0000000..115882b --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/sshd_config.d/99-user-CA.conf @@ -0,0 +1 @@ +TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys diff --git a/sources/fds.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys new file mode 100644 index 0000000..84d19e3 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/etc/ssh/trusted-user-ca.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA diff --git a/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/backupfds.sh b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/backupfds.sh new file mode 100755 index 0000000..1577bf6 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/backupfds.sh @@ -0,0 +1,55 @@ +#!/bin/sh +set -x + + +BACKUP_BASE=$(mktemp --directory) +BACKUP_PATH=$BACKUP_BASE/backup +TMP_PATH=$(dirname $BACKUP_BASE) + + +mkdir $BACKUP_PATH +dsctl --list | sed 's/^slapd-//' >>$BACKUP_PATH/instances +cat $BACKUP_PATH/instances | while read INSTANCE +do + echo "Starting backup of $INSTANCE directory server instance" + INSTANCE_STATUS=$(dsctl $INSTANCE status) + echo $INSTANCE_STATUS | grep 'is running$' >/dev/null 2>&1 + RC=$? + if [ $RC -eq 0 ] + then + INSTANCE_ORIG_STATUS="running" + echo "Stopping $INSTANCE directory server instance" + dsctl $INSTANCE stop + else + INSTANCE_ORIG_STATUS="not running" + fi + INSTANCE_STATUS=$(dsctl $INSTANCE status) + echo $INSTANCE_STATUS | grep 'is not running$' >/dev/null 2>&1 + RC=$? + if [ $RC -ne 0 ] + then + echo "Could not stop $INSTANCE directory server instance, exiting" >&2 + exit 1 + fi + echo "Backing up $INSTANCE directory server instance" + rm --force --recursive $TMP_PATH/$INSTANCE + dsctl $INSTANCE db2bak $TMP_PATH/$INSTANCE + mv $TMP_PATH/$INSTANCE $BACKUP_PATH + tar --create \ + --file $BACKUP_PATH/${INSTANCE}.etc.tar \ + /etc/dirsrv/slapd-$INSTANCE + if [ "$INSTANCE_ORIG_STATUS" == "running" ] + then + echo "Restarting $INSTANCE directory server instance" + dsctl $INSTANCE start + fi + echo "Finished backup of $INSTANCE directory server instance" +done + +echo "Creating backup archive" +tar --create \ + --directory=$BACKUP_BASE \ + --file $TMP_PATH/fds.tar \ + backup + +rm --force --recursive $BACKUP_BASE diff --git a/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/restorefds.sh b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/restorefds.sh new file mode 100755 index 0000000..4da4bfc --- /dev/null +++ b/sources/fds.in/c3d/postinstall/install-data/usr/local/bin/restorefds.sh @@ -0,0 +1,66 @@ +#!/bin/sh +set -x + + +DIRSRV_BACKUP_BASE=/var/lib/dirsrv +POSTINSTALL_DATA_PATH=/c3d/postinstall/data +POSTINSTALL_SCP_PATH=/c3d/postinstall/scp +RESTORE_BASE=$(mktemp --directory) +RESTORE_PATH=$RESTORE_BASE/backup +TMP_PATH=$(dirname $RESTORE_BASE) + + +if [ ! -f $POSTINSTALL_SCP_PATH/fds.tar ] +then + echo "No restore file found, exiting" >&2 + exit 1 +fi + +tar --extract \ + --directory=$RESTORE_BASE \ + --file $POSTINSTALL_SCP_PATH/fds.tar + +cat $RESTORE_PATH/instances | while read INSTANCE +do + echo "Starting restore of $INSTANCE directory server instance" + INSTANCE_EXISTS=$(dsctl --list | grep -w $INSTANCE | wc -l) + if [ $INSTANCE_EXISTS -eq 1 ] + then + INSTANCE_STATUS=$(dsctl $INSTANCE status) + echo $INSTANCE_STATUS | grep 'is running$' >/dev/null 2>&1 + RC=$? + if [ $RC -eq 0 ] + then + echo "Stopping $INSTANCE directory server instance" + dsctl $INSTANCE stop + fi + INSTANCE_STATUS=$(dsctl $INSTANCE status) + echo $INSTANCE_STATUS | grep 'is not running$' >/dev/null 2>&1 + RC=$? + if [ $RC -ne 0 ] + then + echo "Could not stop $INSTANCE directory server instance, exiting" >&2 + exit 1 + fi + else + sed "s/__INSTANCE__/$INSTANCE/" \ + <$POSTINSTALL_DATA_PATH/template.inf \ + >$POSTINSTALL_DATA_PATH/${INSTANCE}.inf + dscreate from-file $POSTINSTALL_DATA_PATH/${INSTANCE}.inf + #rm --force $POSTINSTALL_DATA_PATH/${INSTANCE}.inf + fi + echo "Restoring $INSTANCE directory server instance" + rm --force --recursive /etc/dirsrv/slapd-$INSTANCE/* + tar --extract \ + --directory=/ \ + --file $RESTORE_PATH/${INSTANCE}.etc.tar + INSTANCE_RESTORE_PATH=$DIRSRV_BACKUP_BASE/slapd-$INSTANCE/bak/restore + rm --force --recursive $INSTANCE_RESTORE_PATH + cp --archive $RESTORE_PATH/$INSTANCE $INSTANCE_RESTORE_PATH + dsctl $INSTANCE bak2db $INSTANCE_RESTORE_PATH + echo "(Re)starting $INSTANCE directory server instance" + dsctl $INSTANCE start + echo "Restored $INSTANCE directory server instance" +done + +rm --force --recursive $RESTORE_BASE diff --git a/sources/fds.in/c3d/postinstall/scp/copy.list b/sources/fds.in/c3d/postinstall/scp/copy.list new file mode 100644 index 0000000..e855d8b --- /dev/null +++ b/sources/fds.in/c3d/postinstall/scp/copy.list @@ -0,0 +1,2 @@ +# source_host source_path target_path +fds.in.useribm.hu /tmp/fds.tar fds.tar diff --git a/sources/fds.in/c3d/postinstall/scripts/01_editfiles.sh b/sources/fds.in/c3d/postinstall/scripts/01_editfiles.sh new file mode 100755 index 0000000..f1a0941 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/scripts/01_editfiles.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +sed --in-place=.orig \ + 's/^root:\*:/root:$6$pjGwTSJ0nLVFYCFj$8AgOeicYbI6AEWb8nIQISOcGaF3T3TuFvexv7xR8dzMpEfZzHc.iI14HqVyM0rv5PgmQerUJmwNLq3DLkAaBU.:/' \ + /etc/shadow diff --git a/sources/fds.in/c3d/postinstall/scripts/10_setupservices.sh b/sources/fds.in/c3d/postinstall/scripts/10_setupservices.sh new file mode 100755 index 0000000..14dc7d6 --- /dev/null +++ b/sources/fds.in/c3d/postinstall/scripts/10_setupservices.sh @@ -0,0 +1,8 @@ +#!/bin/sh + + +systemctl disable NetworkManager-wait-online.service + +systemctl disable cockpit.socket + +systemctl disable logrotate.timer diff --git a/sources/fds.in/c3d/postinstall/ssh/run.list b/sources/fds.in/c3d/postinstall/ssh/run.list new file mode 100644 index 0000000..adb1dab --- /dev/null +++ b/sources/fds.in/c3d/postinstall/ssh/run.list @@ -0,0 +1,2 @@ +# target_host target_user target_executable +fds.in.useribm.hu root /usr/local/bin/backupfds.sh diff --git a/sources/fds.in/config b/sources/fds.in/config new file mode 100644 index 0000000..74360d3 --- /dev/null +++ b/sources/fds.in/config @@ -0,0 +1,21 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = fds.in.useribm.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = bri-dev +lxc.net.0.hwaddr = 02:0c:18:03:6d:40 + +lxc.autodev = 1 + +lxc.cgroup2.devices.allow = a + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = __CONTAINER_START_ORDER__ +lxc.start.delay = 5 diff --git a/sources/fds.in/envvars b/sources/fds.in/envvars new file mode 100644 index 0000000..979f882 --- /dev/null +++ b/sources/fds.in/envvars @@ -0,0 +1,3 @@ +DISTRIBUTION=Fedora +DISTRIBUTION_VERSION=35 +SPEC_PACKAGES="389-ds-base cockpit cockpit-389-ds openssh-clients openssh-server" -- 2.54.0