From 6d58f2387f25cbe4d39d2d0ca59259117bb21b31 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 14 Nov 2020 14:35:54 +0100
Subject: [PATCH] bundles/openssh: introduce, add to all nodes

---
 bundles/backup-server/metadata.py   |  9 ++++++
 bundles/gitea/metadata.py           |  5 +++
 bundles/openssh/files/override.conf |  8 +++++
 bundles/openssh/files/sshd_config   | 39 ++++++++++++++++++++++++
 bundles/openssh/items.py            | 47 +++++++++++++++++++++++++++++
 bundles/openssh/metadata.py         |  9 ++++++
 groups/all.py                       |  1 +
 7 files changed, 118 insertions(+)
 create mode 100644 bundles/openssh/files/override.conf
 create mode 100644 bundles/openssh/files/sshd_config
 create mode 100644 bundles/openssh/items.py
 create mode 100644 bundles/openssh/metadata.py

diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py
index ce0f909..a84acfa 100644
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@@ -1,3 +1,12 @@
+defaults = {
+    'openssh': {
+        'allowed_users': {
+            # Usernames for backup clients always start with 'c-'
+            'c-*',
+        },
+    },
+}
+
 @metadata_reactor
 def get_my_clients(metadata):
     my_clients = {}
diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py
index 1ef5885..493638d 100644
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@@ -25,6 +25,11 @@ defaults = {
             },
         },
     },
+    'openssh': {
+        'allowed_users': {
+            'git',
+        },
+    },
     'postgresql': {
         'roles': {
             'gitea': {
diff --git a/bundles/openssh/files/override.conf b/bundles/openssh/files/override.conf
new file mode 100644
index 0000000..e19b593
--- /dev/null
+++ b/bundles/openssh/files/override.conf
@@ -0,0 +1,8 @@
+# The default unit already has "Restart=on-failure", but it has set
+# "RestartPreventExitStatus=255", which prevents a restart on that
+# specific exit code. I don't think we want that. Please, just restart
+# ssh.
+
+[Service]
+RestartPreventExitStatus=
+RestartSec=1
diff --git a/bundles/openssh/files/sshd_config b/bundles/openssh/files/sshd_config
new file mode 100644
index 0000000..bd3ec34
--- /dev/null
+++ b/bundles/openssh/files/sshd_config
@@ -0,0 +1,39 @@
+Port 22
+
+PermitRootLogin No
+Protocol 2
+AuthorizedKeysFile .ssh/authorized_keys
+GSSAPIAuthentication no
+KerberosAuthentication no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+PubkeyAuthentication yes
+UseDNS no
+
+LogLevel INFO
+X11Forwarding no
+IgnoreRhosts yes
+HostbasedAuthentication no
+PermitEmptyPasswords no
+PermitUserEnvironment no
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256
+LoginGraceTime 60
+AllowUsers ${' '.join(sorted(login_users))}
+UsePAM yes
+AllowTcpForwarding no
+PrintMotd no
+
+MaxSessions 512
+MaxStartups 512:30:768
+
+Subsystem sftp internal-sftp
+
+Match Group sftp
+    ChrootDirectory %h
+    ForceCommand internal-sftp
+    PasswordAuthentication no
+
+Match User ${','.join(sorted(admin_users))}
+    AllowTcpForwarding yes
diff --git a/bundles/openssh/items.py b/bundles/openssh/items.py
new file mode 100644
index 0000000..0d3bf6f
--- /dev/null
+++ b/bundles/openssh/items.py
@@ -0,0 +1,47 @@
+users_from_metadata = set()
+additional_users = node.metadata.get('openssh', {}).get('allowed_users', set())
+
+for user, config in node.metadata.get('users', {}).items():
+    if 'ssh_pubkey' in config:
+        users_from_metadata.add(user)
+
+login_users = users_from_metadata.union(additional_users)
+
+files = {
+    '/etc/ssh/sshd_config': {
+        'content_type': 'mako',
+        'context': {
+            'login_users': login_users,
+            'admin_users': users_from_metadata,
+        },
+        'triggers': {
+            'action:sshd_check_config',
+        },
+    },
+    '/etc/systemd/system/ssh.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:sshd_check_config',
+        },
+    },
+}
+
+actions = {
+    'sshd_check_config': {
+        'command': 'sshd -T -C user=root -C host=localhost -C addr=localhost',
+        'triggered': True,
+        'triggers': {
+            'svc_systemd:ssh:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'ssh': {
+        'needs': {
+            'pkg_apt:openssh-server',
+            'file:/etc/systemd/system/ssh.service.d/bundlewrap.conf',
+            'file:/etc/ssh/sshd_config',
+        },
+    },
+}
diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py
new file mode 100644
index 0000000..f4ebe16
--- /dev/null
+++ b/bundles/openssh/metadata.py
@@ -0,0 +1,9 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'openssh-client': {},
+            'openssh-server': {},
+            'openssh-sftp-server': {},
+        },
+    },
+}
diff --git a/groups/all.py b/groups/all.py
index 3e70bb7..29b18c3 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -11,6 +11,7 @@ groups['all'] = {
         'backup-client',
         'cron',
         'hostname',
+        'openssh',
         'postfix',
         'sshmon',
         'sudo',