Compare commits

...

14 commits

Author SHA1 Message Date
2548ad883a Containerfile: copiar ssh/known_hosts
All checks were successful
continuous-integration/drone the build was successful
2021-09-28 15:42:07 -03:00
ed6e1a4758 Merge remote-tracking branch 'origin/antifascista' into container-ci 2021-09-28 15:31:54 -03:00
Nulo
25d1977b37 Merge branch 'ssh' into 'antifascista'
Soportar las llaves SSH de le usuarie

See merge request sutty/haini.sh!24
2021-09-28 18:29:46 +00:00
f
b372a54e1f No hacía falta bindear el socket 2021-09-28 15:21:54 -03:00
f
5b3516d0f8 Eliminar la configuración 2021-09-28 15:16:28 -03:00
f
347b7eab2c No hace falta recomendar la instalación si no dejamos agents abiertos 2021-09-28 15:11:36 -03:00
f
62cb0883cc No fallar si no hay ssh-agent 2021-09-28 15:11:19 -03:00
f
74a4985ea2 Instalar archivos dentro de /home/suttier 2021-09-28 14:27:06 -03:00
f
19aac59bdc Avisar cuando no hay ssh-agent 2021-09-28 14:27:06 -03:00
f
1af786a9e1 No dejar ssh-agents flotando 2021-09-28 14:27:06 -03:00
f
c1525d9e0f Utilizar SSH Agent
Es necesario usar ssh-agent para poder hacer conexiones SSH dentro de
Hainish compartiendo las mismas llaves.  Si montáramos ~/.ssh, el
cliente SSH insiste en expandir ~ al home externo en lugar del interno y
no encontramos documentación al respecto.
2021-09-28 14:27:06 -03:00
f
d088b5115e Soportar las llaves SSH de le usuarie 2021-09-28 14:27:06 -03:00
84444bba04 Merge branch 'usuarix-real' into 'antifascista'
Crear usuarix dentro de haini.sh

See merge request sutty/haini.sh!30
2021-09-28 17:26:29 +00:00
50b3d04792 Crear usuarix dentro de haini.sh
..en vez de mentir en $HOME.

/Sutty$ id
uid=1000(suttier) gid=1000(suttier) groups=65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),1000(suttier)

/Sutty$ ssh -vvv 0xacab.org
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/suttier/.ssh/known_hosts'
2021-09-28 13:32:02 -03:00
5 changed files with 57 additions and 6 deletions

View file

@ -8,6 +8,8 @@ RUN echo "https://alpine.sutty.nl/alpine/v3.13/sutty" >> "/etc/apk/repositories"
COPY packages /root/packages COPY packages /root/packages
RUN apk add --no-cache $(cat "/root/packages" | tr "\n" " ") RUN apk add --no-cache $(cat "/root/packages" | tr "\n" " ")
RUN sed -re "s/#(@platforms = )/\1/" -i "/usr/lib/ruby/2.7.0/rubygems.rb" RUN sed -re "s/#(@platforms = )/\1/" -i "/usr/lib/ruby/2.7.0/rubygems.rb" && \
mkdir -m 700 -p "~/.ssh"
COPY ssh/known_hosts /root/.ssh/known_hosts
COPY .gemrc /root/.gemrc COPY .gemrc /root/.gemrc

View file

@ -7,7 +7,8 @@ RUN mkdir -p /home && \
--home /home/suttier \ --home /home/suttier \
suttier && \ suttier && \
cp /root/.gemrc /home/suttier/.gemrc && \ cp /root/.gemrc /home/suttier/.gemrc && \
chown suttier:suttier /home/suttier/.gemrc && \ cp -r /root/.ssh /home/suttier/.ssh && \
chown -R suttier:suttier /home/suttier/ && \
echo "suttier ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers echo "suttier ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
USER suttier USER suttier

View file

@ -8,6 +8,7 @@ uname -m | grep -q x86_64 || exit 1
DIR="$(dirname "$(realpath "$0")")" DIR="$(dirname "$(realpath "$0")")"
ROOT="$(dirname "$DIR")" ROOT="$(dirname "$DIR")"
SELF="$(basename "$0")" SELF="$(basename "$0")"
SSH_ADHOC=false
# Sólo se puede correr desde el directorio de Sutty # Sólo se puede correr desde el directorio de Sutty
if test "$ROOT" != "$(dirname "$PWD")" && test "$ROOT" != "$PWD"; then if test "$ROOT" != "$(dirname "$PWD")" && test "$ROOT" != "$PWD"; then
@ -40,26 +41,35 @@ ENTORNO=${ENTORNO:-${ROOT}/hain}
correr() { correr() {
echo "> $1" >&2 echo "> $1" >&2
if test "$AS_ROOT"; then
SET_UID=0
SET_GID=0
else
SET_UID="$(id -u)"
SET_GID="$(id -g)"
fi
env -i \ env -i \
TERM="$TERM" \ TERM="$TERM" \
USER="$USER" \ USER="suttier" \
HOME="/home/suttier" \ HOME="/home/suttier" \
HAIN_ENV=true \ HAIN_ENV=true \
RAILS_ENV="${RAILS_ENV:-development}" \ RAILS_ENV="${RAILS_ENV:-development}" \
JEKYLL_ENV="${JEKYLL_ENV:-development}" \ JEKYLL_ENV="${JEKYLL_ENV:-development}" \
EDITOR="nano" \ EDITOR="nano" \
PAGER="less -niSFX" \ PAGER="less -niSFX" \
SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" \
bwrap \ bwrap \
--die-with-parent \ --die-with-parent \
--unshare-user-try \ --unshare-user \
--uid "$SET_UID" \
--gid "$SET_GID" \
--unshare-ipc \ --unshare-ipc \
--unshare-uts \ --unshare-uts \
--unshare-cgroup-try \ --unshare-cgroup-try \
--bind "$ENTORNO" / \ --bind "$ENTORNO" / \
--bind "$ROOT" /Sutty \ --bind "$ROOT" /Sutty \
--ro-bind /etc/hosts /etc/hosts \ --ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/group /etc/group \
--ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/localtime /etc/localtime \ --ro-bind /etc/localtime /etc/localtime \
--dev-bind /dev /dev \ --dev-bind /dev /dev \
@ -169,6 +179,22 @@ crear_entorno() {
&& mv "$ENTORNO$HOME" "$ENTORNO/home/suttier" && mv "$ENTORNO$HOME" "$ENTORNO/home/suttier"
mkdir -p "$ENTORNO/home/suttier" mkdir -p "$ENTORNO/home/suttier"
if ! grep ^suttier: "$ENTORNO/etc/group" >/dev/null 2>&1 ; then
AS_ROOT=true correr "addgroup \
-g $(id -g) \
suttier"
fi
if ! correr "id suttier" >/dev/null 2>&1 ; then
AS_ROOT=true correr "adduser \
--disabled-password \
--gecos '' \
--home /home/suttier \
--no-create-home \
--uid $(id -u) \
--ingroup suttier \
suttier"
fi
# Configurar rubygems para que descargue las gemas desde Sutty # Configurar rubygems para que descargue las gemas desde Sutty
install -m 640 "$DIR/.gemrc" "$ENTORNO/home/suttier/.gemrc" install -m 640 "$DIR/.gemrc" "$ENTORNO/home/suttier/.gemrc"
@ -180,6 +206,10 @@ crear_entorno() {
install -m 755 "$script" "$ENTORNO/usr/local/bin/${script##*/}" install -m 755 "$script" "$ENTORNO/usr/local/bin/${script##*/}"
done done
# Configurar SSH
install -m 700 -d "$ENTORNO/home/suttier/.ssh"
install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/home/suttier/.ssh/known_hosts"
test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado
test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt"
} }
@ -203,6 +233,20 @@ esac
if test "$HAIN_ENV"; then if test "$HAIN_ENV"; then
${*:-$DEFAULT} ${*:-$DEFAULT}
else else
if test -z "${SSH_AUTH_SOCK}"; then
if ! type ssh-agent >/dev/null 2>&1 ; then
echo "Instala ssh-agent para poder trabajar con git remoto dentro de haini.sh" >&2
else
SSH_ADHOC=true
echo "Iniciando un ssh-agent temporal." >&2
eval "$(ssh-agent)"
ssh-add
fi
fi
crear_entorno crear_entorno
stdin=/dev/stdin correr "${*:-$DEFAULT}" stdin=/dev/stdin correr "${*:-$DEFAULT}"
${SSH_ADHOC} && ssh-agent -k
fi fi

View file

@ -14,6 +14,7 @@ nano-syntax
ncurses-terminfo ncurses-terminfo
nginx nginx
nodejs nodejs
openssh-client
openssl openssl
postgresql postgresql
postgresql-contrib postgresql-contrib

3
ssh/known_hosts Normal file
View file

@ -0,0 +1,3 @@
0xacab.org,198.252.153.239 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdh69MJNIA4hZNdplalK1BOD4QZEKn8msMwsEzA7nrr
athshe.sutty.nl,172.96.172.58 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIDqJl9IW6WXAxrtZXMzvMnIpTjIZB+Tp+dDUpSaOrqdjqdMVjHVQSFnVh0MLHbvdjKKtxaKDAuT3JXGrSp8wyA=
anarres.sutty.nl,54.39.161.205 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw9aXovdiR44WzGfaitjlGiAO7I5OP/XgxFEc+t6HWeS0oqIVaEo17y7j29hLZbTRpN8vWoGSMa+UtquQZ6JG8=