apps/whawty/auth: app no longer runs as root and switch to new sync

6 files changed, 40 insertions, 20 deletions

diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
index 45c692e9..b264577d 100644
--- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
+++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
@@ -1,7 +1,7 @@
 securityContext:
   allowPrivilegeEscalation: false
-{#  runAsUser: {{ whawty_auth_app_uid }} #}
-{#  runAsGroup: {{ whawty_auth_app_gid }} #}
+  runAsUser: 990
+  runAsGroup: 990
 containers:
 - name: app
   image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
@@ -31,23 +31,15 @@ containers:
 {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
 - name: sync
   image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
-  command:
-  - "/gokr-rsyncd"
   args:
-  - "--daemon"
-  - "--gokr.config=/sync/config.toml"
-{# TODO: remove debug output #}
-  - "-v"
+  - "server"
   volumeMounts:
   - name: sync
-    mountPath: /sync
+    mountPath: /config
     readOnly: true
   - name: store
     mountPath: /store
     readOnly: true
-  env:
-  - name: XDG_CONFIG_HOME
-    value: "/sync"
   ports:
   - containerPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
     hostPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
diff --git a/roles/apps/whawty/auth/instance/templates/sync-group.j2 b/roles/apps/whawty/auth/instance/templates/sync-group.j2
new file mode 100644
index 00000000..42d65743
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-group.j2
@@ -0,0 +1 @@
+sync:x:990:
diff --git a/roles/apps/whawty/auth/instance/templates/sync-passwd.j2 b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2
new file mode 100644
index 00000000..0a99fc12
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2
@@ -0,0 +1 @@
+sync:x:990:990::/home:/bin/sh
diff --git a/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2
new file mode 100644
index 00000000..694daff4
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2
@@ -0,0 +1,5 @@
+[store]
+  path = /store
+  comment = whawty auth store
+  read only = yes
+  use chroot = no
diff --git a/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2
new file mode 100644
index 00000000..65a11d80
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2
@@ -0,0 +1,29 @@
+Port {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+HostKey /config/ssh_host_ed25519_key
+PidFile none
+
+PermitRootLogin no
+PubkeyAuthentication yes
+
+HostbasedAuthentication no
+PasswordAuthentication no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+PermitTTY no
+UseDNS no
+PermitTunnel no
+AllowStreamLocalForwarding no
+AllowTcpForwarding no
+
+ForceCommand /usr/bin/rsync --server --daemon --config /config/rsyncd.conf .
+
+AllowUsers sync
+AuthorizedKeysFile /config/authorized_keys
diff --git a/roles/apps/whawty/auth/instance/templates/sync.toml.j2 b/roles/apps/whawty/auth/instance/templates/sync.toml.j2
deleted file mode 100644
index ddea4da5..00000000
--- a/roles/apps/whawty/auth/instance/templates/sync.toml.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-dont_namespace = true
-[[listener]]
-  [listener.authorized_ssh]
-    address = ":{{ whawty_auth_instances[whawty_auth_instance].sync.port }}"
-    authorized_keys = "/sync/authorized_keys"
-[[module]]
-  name = "store"
-  path = "/store"