summaryrefslogtreecommitdiff
path: root/roles/apps
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-10-26 13:58:00 +0200
committerChristian Pointner <equinox@spreadspace.org>2023-10-26 13:58:00 +0200
commitdef061765aa3f4422472bc08a65bfc3e7f57b3ea (patch)
tree6b4173aabd89073d921a7a5834a55ee781bd078a /roles/apps
parentx509/certs: fix renewal scripts (diff)
apps/whawty/auth: app no longer runs as root and switch to new sync
Diffstat (limited to 'roles/apps')
-rw-r--r--roles/apps/whawty/auth/instance/tasks/main.yml52
-rw-r--r--roles/apps/whawty/auth/instance/templates/pod-spec.yml.j216
-rw-r--r--roles/apps/whawty/auth/instance/templates/sync-group.j21
-rw-r--r--roles/apps/whawty/auth/instance/templates/sync-passwd.j21
-rw-r--r--roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j25
-rw-r--r--roles/apps/whawty/auth/instance/templates/sync-sshd_config.j229
-rw-r--r--roles/apps/whawty/auth/instance/templates/sync.toml.j28
7 files changed, 77 insertions, 35 deletions
diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml
index 2de99efa..a5872839 100644
--- a/roles/apps/whawty/auth/instance/tasks/main.yml
+++ b/roles/apps/whawty/auth/instance/tasks/main.yml
@@ -6,19 +6,24 @@
## TODO: custom user
-- name: create instance directories
- loop:
- - config
- - store
+- name: create instance config directory
file:
- path: "{{ whawty_auth_instance_basepath }}/{{ item }}"
+ path: "{{ whawty_auth_instance_basepath }}/config"
state: directory
+- name: create instance store directory
+ file:
+ path: "{{ whawty_auth_instance_basepath }}/store"
+ state: directory
+ owner: app
+ mode: 0700
+
- name: generate store config
template:
src: store.yml.j2
dest: "{{ whawty_auth_instance_basepath }}/config/store.yml"
mode: 0400
+ owner: app
- name: set up tls config
when: "'tls' in whawty_auth_instances[whawty_auth_instance]"
@@ -27,7 +32,8 @@
file:
path: "{{ whawty_auth_instance_basepath }}/config/tls"
state: directory
- mode: 0400
+ mode: 0500
+ owner: app
- name: generate/install/fetch TLS certificate
vars:
@@ -39,10 +45,12 @@
src:
- fullchain
mode: "0400"
+ owner: app
- dest: "{{ whawty_auth_instance_basepath }}/config/tls/key.pem"
src:
- key
mode: "0400"
+ owner: app
reload: |
pod_id=$(crictl pods -q --state ready --name "^whawty-auth-{{ whawty_auth_instance }}-{{ ansible_nodename }}$")
[ -n "$pod_id" ] || exit 0
@@ -52,24 +60,30 @@
include_role:
name: "x509/{{ whawty_auth_instances[whawty_auth_instance].tls.certificate_provider }}/cert"
- - name: generate store config
+ - name: generate app web config
template:
src: web.yml.j2
dest: "{{ whawty_auth_instance_basepath }}/config/web.yml"
mode: 0400
+ owner: app
- name: set up sync config
when: "'sync' in whawty_auth_instances[whawty_auth_instance]"
block:
- name: create sync directory
file:
- path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd"
+ path: "{{ whawty_auth_instance_basepath }}/sync"
state: directory
- - name: generate sync config
+ - name: generate sync config files
+ loop:
+ - group
+ - passwd
+ - rsyncd.conf
+ - sshd_config
template:
- src: sync.toml.j2
- dest: "{{ whawty_auth_instance_basepath }}/sync/config.toml"
+ src: "sync-{{ item }}.j2"
+ dest: "{{ whawty_auth_instance_basepath }}/sync/{{ item }}"
- name: generate authorized_keys for sync
copy:
@@ -77,9 +91,14 @@
dest: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"
- name: generate ssh host key for sync
- command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key' -C '' -N ''"
+ command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key' -C '' -N ''"
args:
- creates: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key"
+ creates: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"
+
+ - name: fix permissions for ssh host keys
+ file:
+ path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"
+ owner: app
- name: install pod manifest
vars:
@@ -89,9 +108,12 @@
- path: "{{ whawty_auth_instance_basepath }}/config/web.yml"
{% endif %}
{% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
- - path: "{{ whawty_auth_instance_basepath }}/sync/config.toml"
- path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"
- - path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key"
+ - path: "{{ whawty_auth_instance_basepath }}/sync/group"
+ - path: "{{ whawty_auth_instance_basepath }}/sync/passwd"
+ - path: "{{ whawty_auth_instance_basepath }}/sync/rsyncd.conf"
+ - path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"
+ - path: "{{ whawty_auth_instance_basepath }}/sync/sshd_config"
{% endif %}
kubernetes_standalone_pod:
name: "whawty-auth-{{ whawty_auth_instance }}"
diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
index 45c692e9..b264577d 100644
--- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
+++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
@@ -1,7 +1,7 @@
securityContext:
allowPrivilegeEscalation: false
-{# runAsUser: {{ whawty_auth_app_uid }} #}
-{# runAsGroup: {{ whawty_auth_app_gid }} #}
+ runAsUser: 990
+ runAsGroup: 990
containers:
- name: app
image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
@@ -31,23 +31,15 @@ containers:
{% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
- name: sync
image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
- command:
- - "/gokr-rsyncd"
args:
- - "--daemon"
- - "--gokr.config=/sync/config.toml"
-{# TODO: remove debug output #}
- - "-v"
+ - "server"
volumeMounts:
- name: sync
- mountPath: /sync
+ mountPath: /config
readOnly: true
- name: store
mountPath: /store
readOnly: true
- env:
- - name: XDG_CONFIG_HOME
- value: "/sync"
ports:
- containerPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
hostPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
diff --git a/roles/apps/whawty/auth/instance/templates/sync-group.j2 b/roles/apps/whawty/auth/instance/templates/sync-group.j2
new file mode 100644
index 00000000..42d65743
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-group.j2
@@ -0,0 +1 @@
+sync:x:990:
diff --git a/roles/apps/whawty/auth/instance/templates/sync-passwd.j2 b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2
new file mode 100644
index 00000000..0a99fc12
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2
@@ -0,0 +1 @@
+sync:x:990:990::/home:/bin/sh
diff --git a/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2
new file mode 100644
index 00000000..694daff4
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2
@@ -0,0 +1,5 @@
+[store]
+ path = /store
+ comment = whawty auth store
+ read only = yes
+ use chroot = no
diff --git a/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2
new file mode 100644
index 00000000..65a11d80
--- /dev/null
+++ b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2
@@ -0,0 +1,29 @@
+Port {{ whawty_auth_instances[whawty_auth_instance].sync.port }}
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+HostKey /config/ssh_host_ed25519_key
+PidFile none
+
+PermitRootLogin no
+PubkeyAuthentication yes
+
+HostbasedAuthentication no
+PasswordAuthentication no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+PermitTTY no
+UseDNS no
+PermitTunnel no
+AllowStreamLocalForwarding no
+AllowTcpForwarding no
+
+ForceCommand /usr/bin/rsync --server --daemon --config /config/rsyncd.conf .
+
+AllowUsers sync
+AuthorizedKeysFile /config/authorized_keys
diff --git a/roles/apps/whawty/auth/instance/templates/sync.toml.j2 b/roles/apps/whawty/auth/instance/templates/sync.toml.j2
deleted file mode 100644
index ddea4da5..00000000
--- a/roles/apps/whawty/auth/instance/templates/sync.toml.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-dont_namespace = true
-[[listener]]
- [listener.authorized_ssh]
- address = ":{{ whawty_auth_instances[whawty_auth_instance].sync.port }}"
- authorized_keys = "/sync/authorized_keys"
-[[module]]
- name = "store"
- path = "/store"