saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

feat(luks_ssh): Update with latest upstream changes

Browse source 
This includes a MOTD and some small adjustments for Fedora etc.

See a35fbc1ec4
This commit is contained in:
saibotk 2024-03-10 00:16:52 +01:00
parent db6f516bee
commit 20e150f453
Signed by: saibotk
GPG key ID: 67585F0065E261D5
6 changed files with 40 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
roles/luks_ssh/files/module-setup.sh
View file

@ -12,10 +12,7 @@ check() {
# called by dracut # called by dracut
depends() { depends() {
# If systemd-networkd runs on the system, use it. return 0
if systemctl -q is-active systemd-networkd; then
echo systemd-networkd
fi
} }
# called by dracut # called by dracut
@ -40,6 +37,7 @@ install() {
return 1 return 1
fi fi
# Modified to match the ansible install path used in tasks/main.yml
authorized_keys="${moddir}/authorized_keys" authorized_keys="${moddir}/authorized_keys"
#if [ -e /root/.ssh/dracut_authorized_keys ]; then #if [ -e /root/.ssh/dracut_authorized_keys ]; then
# authorized_keys=/root/.ssh/dracut_authorized_keys # authorized_keys=/root/.ssh/dracut_authorized_keys
@ -66,22 +64,25 @@ install() {
inst_simple "${moddir}/sshd.service" "$systemdsystemunitdir/sshd.service" inst_simple "${moddir}/sshd.service" "$systemdsystemunitdir/sshd.service"
inst_simple "${moddir}/sshd_config" /etc/ssh/sshd_config inst_simple "${moddir}/sshd_config" /etc/ssh/sshd_config
grep '^sshd:' /etc/passwd >> "$initdir/etc/passwd" { grep '^sshd:' $dracutsysrootdir/etc/passwd || echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin'; } >> "$initdir/etc/passwd"
grep '^sshd:' /etc/group >> "$initdir/etc/group" { grep '^sshd:' $dracutsysrootdir/etc/group || echo 'sshd:x:74:'; } >> "$initdir/etc/group"
# Create privilege seperation directory # Create privilege separation directory
# /var/empty/sshd -> Fedora, CentOS, RHEL # /var/empty/sshd -> Fedora, CentOS, RHEL
# /var/emtpy -> Arch, OpenSSH upstream # /usr/share/empty.sshd -> Fedora >= 34
# /var/lib/empty -> Suse # /var/emtpy -> Arch, OpenSSH upstream
# /run/sshd -> Debian # /var/lib/empty -> Suse
# /var/chroot/ssh -> Void Linux # /var/chroot/ssh -> Void Linux
local d local d
for d in /var/empty/sshd /var/empty /var/lib/empty /run/sshd /var/chroot/ssh ; do for d in /var/empty/sshd /usr/share/empty.sshd /var/empty /var/lib/empty /var/chroot/ssh ; do
if [ -d "$d" ]; then if [ -d "$d" ]; then
mkdir -p -m 0755 "$initdir$d" mkdir -p -m 0755 "$initdir$d"
break
fi fi
done done
# workaround for Silverblue (in general for ostree based os)
if grep ^OSTREE_VERSION= /etc/os-release > /dev/null; then
mkdir -p -m 0755 "$initdir/var/empty/sshd"
fi
systemctl -q --root "$initdir" enable sshd systemctl -q --root "$initdir" enable sshd
@ -93,6 +94,8 @@ install() {
mkdir -p -m 0755 "$initdir/var/log" mkdir -p -m 0755 "$initdir/var/log"
touch "$initdir/var/log/lastlog" touch "$initdir/var/log/lastlog"
inst_simple "${moddir}/motd" /etc/motd
inst_simple "${moddir}/profile" /root/.profile
return 0 return 0
} }

8
roles/luks_ssh/files/motd Normal file
View file

@ -0,0 +1,8 @@
Welcome to the early boot SSH environment. You may type
systemd-tty-ask-password-agent
(or press "arrow up") to unlock your disks.
This shell will terminate automatically a few seconds after the
unlocking process has succeeded and when the boot proceeds.

7
roles/luks_ssh/files/profile Normal file
View file

@ -0,0 +1,7 @@
if [ -n "$SSH_TTY" ]; then
export PS1='initramfs-ssh:${PWD}# '
fi
if [ -n "$TERM" ]; then
export TERM=vt220
fi

4
roles/luks_ssh/files/sshd.service
View file

@ -28,5 +28,9 @@ KillMode=process
Restart=on-failure Restart=on-failure
RestartSec=42s RestartSec=42s
# Create privilege separation directory /run/sshd for Debian/Ubuntu
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install] [Install]
WantedBy=sysinit.target WantedBy=sysinit.target

4
roles/luks_ssh/tasks/main.yml
View file

@ -66,6 +66,8 @@
become: true become: true
with_items: with_items:
- "sshd.service" - "sshd.service"
- "profile"
- "motd"
notify: Regenerate dracut notify: Regenerate dracut
- name: Copy templated module files - name: Copy templated module files
@ -129,7 +131,7 @@
masked: true masked: true
become: true become: true
when: when:
- ansible_os_family == "RedHat" and not ansible_distribution == "Rocky" - ansible_os_family == "RedHat" and ansible_distribution == "CentOS"
- luks_ssh_disable_state_import - luks_ssh_disable_state_import
- name: Disable import-state service, so that it doesn not overwrite ifcfg scripts. - name: Disable import-state service, so that it doesn not overwrite ifcfg scripts.

1
roles/luks_ssh/templates/sshd_config
View file

@ -4,7 +4,6 @@ AuthorizedKeysFile .ssh/authorized_keys
AuthenticationMethods publickey AuthenticationMethods publickey
UsePAM no UsePAM no
X11Forwarding no X11Forwarding no
ForceCommand systemd-tty-ask-password-agent
Port {{ luks_ssh_port }} Port {{ luks_ssh_port }}
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES