cp over all the bundles from kunsis bw repo

bundles/openssh/files/override.conf

@@ -0,0 +1,8 @@
+# The default unit already has "Restart=on-failure", but it has set
+# "RestartPreventExitStatus=255", which prevents a restart on that
+# specific exit code. I don't think we want that. Please, just restart
+# ssh.
+
+[Service]
+RestartPreventExitStatus=
+RestartSec=1

bundles/openssh/files/sshd_config

@@ -0,0 +1,42 @@
+Port 22
+
+PermitRootLogin No
+Protocol 2
+AuthorizedKeysFile .ssh/authorized_keys
+GSSAPIAuthentication no
+KerberosAuthentication no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+PubkeyAuthentication yes
+UseDNS no
+
+LogLevel INFO
+X11Forwarding no
+IgnoreRhosts yes
+HostbasedAuthentication no
+PermitEmptyPasswords no
+PermitUserEnvironment no
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256
+LoginGraceTime 60
+AllowUsers ${' '.join(sorted(login_users))}
+UsePAM yes
+AllowTcpForwarding no
+PrintMotd no
+
+MaxSessions 512
+MaxStartups 512:30:768
+
+Subsystem sftp internal-sftp
+
+Match Group sftp
+    ChrootDirectory %h
+    ForceCommand internal-sftp
+    PasswordAuthentication no
+
+Match User ${','.join(sorted(admin_users))}
+    AllowTcpForwarding yes
+% if enable_x_forwarding_for_admins:
+    X11Forwarding yes
+% endif

bundles/openssh/items.py

@@ -0,0 +1,55 @@
+users_from_metadata = set()
+additional_users = node.metadata.get('openssh/allowed_users', set())
+
+for user, config in node.metadata.get('users', {}).items():
+    if 'ssh_pubkey' in config and not config.get('delete', False):
+        users_from_metadata.add(user)
+
+login_users = users_from_metadata.union(additional_users)
+
+files = {
+    '/etc/ssh/sshd_config': {
+        'content_type': 'mako',
+        'context': {
+            'login_users': login_users,
+            'admin_users': users_from_metadata,
+            'enable_x_forwarding_for_admins': node.metadata.get('openssh/enable_x_forwarding_for_admins', False),
+        },
+        'triggers': {
+            'action:sshd_check_config',
+        },
+    },
+    '/etc/systemd/system/ssh.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:sshd_check_config',
+        },
+    },
+}
+
+if node.has_bundle('pacman'):
+    package = 'pkg_pacman:openssh'
+    service = 'sshd'
+else:
+    package = 'pkg_apt:openssh-server'
+    service = 'ssh'
+
+actions = {
+    'sshd_check_config': {
+        'command': 'sshd -T -C user=root -C host=localhost -C addr=localhost',
+        'triggered': True,
+        'triggers': {
+            'svc_systemd:{}:restart'.format(service),
+        },
+    },
+}
+
+svc_systemd = {
+    service: {
+        'needs': {
+            'file:/etc/systemd/system/ssh.service.d/bundlewrap.conf',
+            'file:/etc/ssh/sshd_config',
+            package,
+        },
+    },
+}

bundles/openssh/metadata.py

@@ -0,0 +1,28 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'openssh-client': {},
+            'openssh-server': {},
+            'openssh-sftp-server': {},
+        },
+    },
+    'pacman': {
+        'packages': {
+            'openssh': {},
+        },
+    },
+}
+
+@metadata_reactor.provides(
+    'firewall/port_rules/22',
+)
+def firewall(metadata):
+    return {
+        'firewall': {
+            'port_rules': {
+                '22': atomic(metadata.get('openssh/restrict-to', {'*'})),
+            },
+        },
+    }