From def061765aa3f4422472bc08a65bfc3e7f57b3ea Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 26 Oct 2023 13:58:00 +0200 Subject: apps/whawty/auth: app no longer runs as root and switch to new sync --- roles/apps/whawty/auth/instance/tasks/main.yml | 52 +++++++++++++++------- .../whawty/auth/instance/templates/pod-spec.yml.j2 | 16 ++----- .../whawty/auth/instance/templates/sync-group.j2 | 1 + .../whawty/auth/instance/templates/sync-passwd.j2 | 1 + .../auth/instance/templates/sync-rsyncd.conf.j2 | 5 +++ .../auth/instance/templates/sync-sshd_config.j2 | 29 ++++++++++++ .../whawty/auth/instance/templates/sync.toml.j2 | 8 ---- 7 files changed, 77 insertions(+), 35 deletions(-) create mode 100644 roles/apps/whawty/auth/instance/templates/sync-group.j2 create mode 100644 roles/apps/whawty/auth/instance/templates/sync-passwd.j2 create mode 100644 roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 create mode 100644 roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 delete mode 100644 roles/apps/whawty/auth/instance/templates/sync.toml.j2 (limited to 'roles/apps') diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index 2de99efa..a5872839 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -6,19 +6,24 @@ ## TODO: custom user -- name: create instance directories - loop: - - config - - store +- name: create instance config directory file: - path: "{{ whawty_auth_instance_basepath }}/{{ item }}" + path: "{{ whawty_auth_instance_basepath }}/config" state: directory +- name: create instance store directory + file: + path: "{{ whawty_auth_instance_basepath }}/store" + state: directory + owner: app + mode: 0700 + - name: generate store config template: src: store.yml.j2 dest: "{{ whawty_auth_instance_basepath }}/config/store.yml" mode: 0400 + owner: app - name: set up tls config when: "'tls' in whawty_auth_instances[whawty_auth_instance]" @@ -27,7 +32,8 @@ file: path: "{{ whawty_auth_instance_basepath }}/config/tls" state: directory - mode: 0400 + mode: 0500 + owner: app - name: generate/install/fetch TLS certificate vars: @@ -39,10 +45,12 @@ src: - fullchain mode: "0400" + owner: app - dest: "{{ whawty_auth_instance_basepath }}/config/tls/key.pem" src: - key mode: "0400" + owner: app reload: | pod_id=$(crictl pods -q --state ready --name "^whawty-auth-{{ whawty_auth_instance }}-{{ ansible_nodename }}$") [ -n "$pod_id" ] || exit 0 @@ -52,24 +60,30 @@ include_role: name: "x509/{{ whawty_auth_instances[whawty_auth_instance].tls.certificate_provider }}/cert" - - name: generate store config + - name: generate app web config template: src: web.yml.j2 dest: "{{ whawty_auth_instance_basepath }}/config/web.yml" mode: 0400 + owner: app - name: set up sync config when: "'sync' in whawty_auth_instances[whawty_auth_instance]" block: - name: create sync directory file: - path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd" + path: "{{ whawty_auth_instance_basepath }}/sync" state: directory - - name: generate sync config + - name: generate sync config files + loop: + - group + - passwd + - rsyncd.conf + - sshd_config template: - src: sync.toml.j2 - dest: "{{ whawty_auth_instance_basepath }}/sync/config.toml" + src: "sync-{{ item }}.j2" + dest: "{{ whawty_auth_instance_basepath }}/sync/{{ item }}" - name: generate authorized_keys for sync copy: @@ -77,9 +91,14 @@ dest: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys" - name: generate ssh host key for sync - command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key' -C '' -N ''" + command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key' -C '' -N ''" args: - creates: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key" + creates: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" + + - name: fix permissions for ssh host keys + file: + path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" + owner: app - name: install pod manifest vars: @@ -89,9 +108,12 @@ - path: "{{ whawty_auth_instance_basepath }}/config/web.yml" {% endif %} {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - - path: "{{ whawty_auth_instance_basepath }}/sync/config.toml" - path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys" - - path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key" + - path: "{{ whawty_auth_instance_basepath }}/sync/group" + - path: "{{ whawty_auth_instance_basepath }}/sync/passwd" + - path: "{{ whawty_auth_instance_basepath }}/sync/rsyncd.conf" + - path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key" + - path: "{{ whawty_auth_instance_basepath }}/sync/sshd_config" {% endif %} kubernetes_standalone_pod: name: "whawty-auth-{{ whawty_auth_instance }}" diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 index 45c692e9..b264577d 100644 --- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 @@ -1,7 +1,7 @@ securityContext: allowPrivilegeEscalation: false -{# runAsUser: {{ whawty_auth_app_uid }} #} -{# runAsGroup: {{ whawty_auth_app_gid }} #} + runAsUser: 990 + runAsGroup: 990 containers: - name: app image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}" @@ -31,23 +31,15 @@ containers: {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - name: sync image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}" - command: - - "/gokr-rsyncd" args: - - "--daemon" - - "--gokr.config=/sync/config.toml" -{# TODO: remove debug output #} - - "-v" + - "server" volumeMounts: - name: sync - mountPath: /sync + mountPath: /config readOnly: true - name: store mountPath: /store readOnly: true - env: - - name: XDG_CONFIG_HOME - value: "/sync" ports: - containerPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }} hostPort: {{ whawty_auth_instances[whawty_auth_instance].sync.port }} diff --git a/roles/apps/whawty/auth/instance/templates/sync-group.j2 b/roles/apps/whawty/auth/instance/templates/sync-group.j2 new file mode 100644 index 00000000..42d65743 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/sync-group.j2 @@ -0,0 +1 @@ +sync:x:990: diff --git a/roles/apps/whawty/auth/instance/templates/sync-passwd.j2 b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2 new file mode 100644 index 00000000..0a99fc12 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/sync-passwd.j2 @@ -0,0 +1 @@ +sync:x:990:990::/home:/bin/sh diff --git a/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 new file mode 100644 index 00000000..694daff4 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/sync-rsyncd.conf.j2 @@ -0,0 +1,5 @@ +[store] + path = /store + comment = whawty auth store + read only = yes + use chroot = no diff --git a/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 new file mode 100644 index 00000000..65a11d80 --- /dev/null +++ b/roles/apps/whawty/auth/instance/templates/sync-sshd_config.j2 @@ -0,0 +1,29 @@ +Port {{ whawty_auth_instances[whawty_auth_instance].sync.port }} +ListenAddress 0.0.0.0 +ListenAddress :: + +HostKey /config/ssh_host_ed25519_key +PidFile none + +PermitRootLogin no +PubkeyAuthentication yes + +HostbasedAuthentication no +PasswordAuthentication no +PermitEmptyPasswords no +KbdInteractiveAuthentication no + +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +PermitTTY no +UseDNS no +PermitTunnel no +AllowStreamLocalForwarding no +AllowTcpForwarding no + +ForceCommand /usr/bin/rsync --server --daemon --config /config/rsyncd.conf . + +AllowUsers sync +AuthorizedKeysFile /config/authorized_keys diff --git a/roles/apps/whawty/auth/instance/templates/sync.toml.j2 b/roles/apps/whawty/auth/instance/templates/sync.toml.j2 deleted file mode 100644 index ddea4da5..00000000 --- a/roles/apps/whawty/auth/instance/templates/sync.toml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -dont_namespace = true -[[listener]] - [listener.authorized_ssh] - address = ":{{ whawty_auth_instances[whawty_auth_instance].sync.port }}" - authorized_keys = "/sync/authorized_keys" -[[module]] - name = "store" - path = "/store" -- cgit v1.2.3