diff options
| author | Luke Shumaker <lukeshu@sbcglobal.net> | 2017-02-05 00:22:11 +0000 |
|---|---|---|
| committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2017-02-05 00:22:11 +0000 |
| commit | d3a59dddd4e7980af04812ee19474ed2aaecc37c (patch) | |
| tree | 58f2b7b0e50d69cae112215660fafbf1ecf6c892 | |
| parent | 71b30fe252375ce9cd17564309f0598b768bfec5 (diff) | |
more
| -rwxr-xr-x | build | 1 | ||||
| -rw-r--r-- | config-mgmt-nshd.PKGBUILD | 29 | ||||
| -rw-r--r-- | config-mgmt-ssh.PKGBUILD | 33 | ||||
| -rw-r--r-- | config-service-repo.PKGBUILD | 4 |
4 files changed, 55 insertions, 12 deletions
@@ -12,6 +12,7 @@ main() { for src in *.PKGBUILD; do pkg="$(pkgfilename "$src")" while ! { test "$src" -ot "$pkg" && test config.sh -ot "$pkg"; } 2>/dev/null; do + printf '%s: Building %q\n' "$0" "$src" makepkg -d -p "$src" || exit $? pkg="$(pkgfilename "$src")" done diff --git a/config-mgmt-nshd.PKGBUILD b/config-mgmt-nshd.PKGBUILD index b3336e3..cd16f17 100644 --- a/config-mgmt-nshd.PKGBUILD +++ b/config-mgmt-nshd.PKGBUILD @@ -1,5 +1,5 @@ . ${BUILDFILE%/*}/common.sh -pkgver=20170203.3 +pkgver=20170204.4 package() { preamble @@ -33,16 +33,19 @@ add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript < #!/bin/sh sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/' EOF +add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/passwd.holoscript <<EOF +#!/bin/sh +sed -e '/ldap/d' | +sed -e 's/^password required pam_unix[.]so/#&/' \\ + -e '\$apassword required pam_ldap.so minimum_uid=1000' +EOF # However, instead of running the normal `nslcd` LDAP client daemon, # the system has ben configured to run the [parabola-hackers-nshd][] # `nshd` daemon, which reads user infomation from the same # `hackers.git` checkout (configured the same way). This way we dn't # have to worry about keeping `/etc/passwd` in sync with -# `hackers.git`. To this end, PAM has also been configured to create -# a users home directory when they log in if it doesn't already exist. -# Because `hackers.git` doesn't store any password information, `nshd` -# stores password hashes in `/etc/nshd/shadow`. +# `hackers.git`. # # [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/ add-unit etc/systemd/system/sockets.target.wants/nshd.socket @@ -50,12 +53,16 @@ add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [system # # [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19 -# Sometimes after something fails in PAM, you get a "User not known to -# the underlying authentication module" message. For exaple, the -# `pam_ldap.so.2` failed because you typed your password wrong, but -# the PAM caller thinks `pam_ldap` failed because it didn't "own" the -# user. I think that it's just a bug in PAM's message selection. But -# (TODO) we should actually track it down. +# To this end, PAM has also been configured to create a users home +# directory when they log in if it doesn't already exist. +add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/system-login.holoscript <<EOF +#!/bin/sh +sed '/pam_mkhomedir/d' +echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0077' +EOF + +# Because `hackers.git` doesn't store any password information, `nshd` +# stores password hashes in `/etc/nshd/shadow`. postamble } diff --git a/config-mgmt-ssh.PKGBUILD b/config-mgmt-ssh.PKGBUILD new file mode 100644 index 0000000..2c2831a --- /dev/null +++ b/config-mgmt-ssh.PKGBUILD @@ -0,0 +1,33 @@ +. ${BUILDFILE%/*}/common.sh +pkgver=20170204.5 + +package() { +preamble + +depends=(openssh) + +add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/ssh/sshd_config.holoscript <<EOF +#!/bin/sh +{ + sed ' + /^#Port/{ + aPort 22 + aPort 1863 + } + /^#PermitRootLogin/{ + aPermitRootLogin no + } + ' + echo + echo '## Crypto improvements' + echo '## https://stribika.github.io/2015/01/04/secure-secure-shell.html' + echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' + echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' +} | awk '\$0==""||!x[\$0]++' +EOF + +add-unit etc/systemd/system/multi-user.target.wants/sshd.service + +postamble +} diff --git a/config-service-repo.PKGBUILD b/config-service-repo.PKGBUILD index d66c122..9cb64e1 100644 --- a/config-service-repo.PKGBUILD +++ b/config-service-repo.PKGBUILD @@ -1,5 +1,5 @@ . ${BUILDFILE%/*}/common.sh -pkgver=20170203.4 +pkgver=20170204 provides=(pacman-mirrorlist) conflicts=(pacman-mirrorlist) @@ -130,6 +130,8 @@ add-unit etc/systemd/system/sockets.target.wants/rsyncd.socket add-file -m644 usr/share/holo/files/10-"$pkgname"/etc/rsyncd.conf <<EOF # The uid, port, et c. are configured in the systemd units. +use chroot = no + [repos] path = /srv/repo/main comment = Parabola repos |