Commit 8ce3e25b authored by mh's avatar mh
Browse files

add a new user script to allow mgmt of ssh_authorized_keys - also enable...

add a new user script to allow mgmt of ssh_authorized_keys - also enable static hostings to have user_scripts
parent 8c24ee75
#!/bin/env ruby
## methods required by commons
# which option entries beside sftp_user does
# this script need?
def script_option_keys
[]
end
# further settings files used by this script
def script_settings_files_def
{
'ssh_authorized_keys.keys' => {}
}
end
# verify security related things to that script
def script_security
end
# the main method
def run_script
log "Starting managing sshkeys"
file_path = settings_files['ssh_authorized_keys.keys']
keys = []
ignored_keys = []
sudo(sftp_user_uid,group_gid) do
IO.foreach(file_path) do |line|
line.chomp!
# only allow a certain set of keys
# and ignore comment lines
if m = line.match(/^(ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519) ([A-Za-z0-9=\/\+]+)( )?/)
keys << "#{m[1]} #{m[2]}"
elsif line !~ /^#/ && !line.empty?
ignored_keys << "Ignoring following line as it's not a supported key: #{line}"
end
end
File.open("/var/www/ssh_authorized_keys/#{options['sftp_user']}",'w') do |f|
f << "# Generated at #{Time.now.to_s}\n"
f << keys.join("\n")
f << "\n"
end
end
ignored_keys.each do |k|
log "Ignored the following keyline as not matching the allowed pattern: #{k}"
end
log "Wrote #{keys.size} keys to the authorized_keys file"
log "Finished managing sshkeys"
end
# this will also trigger the run of the script
require "#{File.expand_path(File.join(File.dirname(__FILE__),'..','common','webscripts'))}"
......@@ -191,19 +191,15 @@ define webhosting::common(
sftp_user => $real_uid_name,
run_user => $real_run_uid_name,
}
$user_scripts_ensure = $ensure ? {
'absent' => 'absent',
default => $user_scripts
}
webhosting::user_scripts::manage{$name:
ensure => $user_scripts_ensure,
base_path => $vhost_path,
scripts => $user_scripts,
sftp_user => $real_uid_name,
run_user => $real_run_uid_name,
web_group => $real_gid_name,
options => $user_scripts_options,
if $ensure != 'absent' {
webhosting::user_scripts::manage{$name:
base_path => $vhost_path,
scripts => $user_scripts,
sftp_user => $real_uid_name,
run_user => $real_run_uid_name,
web_group => $real_gid_name,
options => $user_scripts_options,
}
}
if ($git_repo != 'absent') and ($ensure != 'absent') {
webhosting::utils::clone{
......
......@@ -9,38 +9,40 @@
# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
# - semianonym: Don't log ips for CustomLog, log normal ErrorLog
define webhosting::static(
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$password = 'absent',
$password_crypted = true,
$domain = 'absent',
$domainalias = 'www',
$server_admin = 'absent',
$logmode = 'default',
$owner = root,
$group = 'absent',
$allow_override = 'None',
$do_includes = false,
$options = 'absent',
$additional_options = 'absent',
$default_charset = 'absent',
$ssl_mode = false,
$vhost_mode = 'template',
$template_partial = 'absent',
$vhost_source = 'absent',
$vhost_destination = 'absent',
$htpasswd_file = 'absent',
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$mod_security = false,
$git_repo = 'absent',
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$password = 'absent',
$password_crypted = true,
$domain = 'absent',
$domainalias = 'www',
$server_admin = 'absent',
$logmode = 'default',
$owner = root,
$group = 'absent',
$allow_override = 'None',
$do_includes = false,
$options = 'absent',
$additional_options = 'absent',
$default_charset = 'absent',
$ssl_mode = false,
$vhost_mode = 'template',
$template_partial = 'absent',
$vhost_source = 'absent',
$vhost_destination = 'absent',
$htpasswd_file = 'absent',
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$mod_security = false,
$git_repo = 'absent',
$user_scripts = 'absent',
$user_scripts_options = {},
){
if ($uid_name == 'absent'){
$real_uid_name = $name
......@@ -58,23 +60,25 @@ define webhosting::static(
$real_group = 'apache'
}
webhosting::common{$name:
ensure => $ensure,
configuration => $configuration,
uid => $uid,
uid_name => $real_uid_name,
gid => $gid,
gid_name => $real_gid_name,
password => $password,
password_crypted => $password_crypted,
htpasswd_file => $htpasswd_file,
ssl_mode => $ssl_mode,
run_mode => 'static',
nagios_check => $nagios_check,
nagios_check_domain => $nagios_check_domain,
nagios_check_url => $nagios_check_url,
nagios_check_code => $nagios_check_code,
nagios_use => $nagios_use,
git_repo => $git_repo,
ensure => $ensure,
configuration => $configuration,
uid => $uid,
uid_name => $real_uid_name,
gid => $gid,
gid_name => $real_gid_name,
password => $password,
password_crypted => $password_crypted,
htpasswd_file => $htpasswd_file,
ssl_mode => $ssl_mode,
run_mode => 'static',
nagios_check => $nagios_check,
nagios_check_domain => $nagios_check_domain,
nagios_check_url => $nagios_check_url,
nagios_check_code => $nagios_check_code,
nagios_use => $nagios_use,
git_repo => $git_repo,
user_scripts => $user_scripts,
user_scripts_options => $user_scripts_options,
}
apache::vhost::static{$name:
ensure => $ensure,
......
......@@ -22,16 +22,46 @@ class webhosting::user_scripts {
group => 0,
mode => '0500';
}
# deploy scripts
['adjust_permissions','update_mode',
'update_wordpress','ssh_authorized_keys'].each |String $script_name| {
file{
"/opt/webhosting_user_scripts/${script_name}":
ensure => directory,
owner => root,
group => 0,
mode => '0400';
"/opt/webhosting_user_scripts/${script_name}/${script_name}.rb":
source => "puppet:///modules/webhosting/user_scripts/${script_name}/${script_name}.rb",
owner => root,
group => 0,
mode => '0500';
}
# script to adjust permission in web directories
webhosting::user_scripts::script{'adjust_permissions': }
}
# script dependencies
# update mode script
include ::acl::requirements
webhosting::user_scripts::script{'update_mode': }
# wordpress updates
require ::wordpress::base
require ::tmpwatch
webhosting::user_scripts::script{'update_wordpress': }
# manage ssh keys
if $facts['selinux'] {
selinux::fcontext{'/var/www/ssh_authorized_keys(/.*)?':
setype => 'ssh_home_t',
before => File['/var/www/ssh_authorized_keys'],
}
}
file{'/var/www/ssh_authorized_keys':
ensure => directory,
owner => root,
group => 0,
mode => '0444',
purge => true,
force => true,
recurse => true,
seltype => 'ssh_home_t',
}
}
......@@ -3,53 +3,37 @@ define webhosting::user_scripts::manage(
$sftp_user,
$run_user,
$web_group,
$ensure = 'present',
$base_path = 'absent',
$scripts = 'ALL',
$options = {},
$user_scripts_help = 'https://wiki.immerda.ch/index.php/WebhostingUserScripts',
$user_scripts_admin_address = 'admin@immerda.ch'
){
$scripts_path = $base_path ? {
'absent' => "/var/www/vhosts/${name}/scripts",
default => "${base_path}/scripts"
}
$default_options = {
'adjust_permissions' => {
'only_webreadable' => [],
'web_writable' => [],
},
}
$user_scripts_options = merge($default_options,$options)
file{
"user_scripts_${name}":
path => $scripts_path,
recurse => true,
purge => true,
force => true;
"incron_adjust_permissions_${name}":
path => "/etc/incron.d/${name}_adjust_permissions";
"incron_update_mode_${name}":
path => "/etc/incron.d/${name}_update_mode";
"incron_update_wordpress_${name}":
path => "/etc/incron.d/${name}_update_wordpress";
}
if $scripts != 'absent' {
$scripts_path = $base_path ? {
'absent' => "/var/www/vhosts/${name}/scripts",
default => "${base_path}/scripts"
}
if ($ensure == 'absent') {
File["user_scripts_${name}","incron_adjust_permissions_${name}",
"incron_update_mode_${name}"]{
ensure => 'absent',
$default_options = {
'adjust_permissions' => {
'only_webreadable' => [],
'web_writable' => [],
},
}
} else {
require ::webhosting::user_scripts
$user_scripts_options = merge($default_options,$options)
File["user_scripts_${name}"]{
ensure => directory,
owner => root,
group => $web_group,
mode => '0440',
require ::webhosting::user_scripts
file{
"user_scripts_${name}":
path => $scripts_path,
ensure => directory,
owner => root,
group => $web_group,
mode => '0440',
recurse => true,
purge => true,
force => true;
}
file{ "${scripts_path}/vhost.options":
......@@ -59,76 +43,47 @@ define webhosting::user_scripts::manage(
mode => '0440';
}
if ('adjust_permissions' in $scripts) or ($scripts == 'ALL') {
file{
"${scripts_path}/adjust_permissions":
ensure => directory,
owner => $sftp_user,
group => $web_group,
mode => '0600';
"${scripts_path}/adjust_permissions/adjust_permissions.dirs":
content => template('webhosting/user_scripts/adjust_permissions/adjust_permissions.dirs.erb'),
replace => false,
owner => $sftp_user,
group => $web_group,
mode => '0600';
}
File["incron_adjust_permissions_${name}"] {
content => "${scripts_path}/adjust_permissions/ IN_CREATE /opt/webhosting_user_scripts/common/run_incron.sh \$@ \$#\n",
owner => root,
group => 0,
mode => '0400',
require => File["${scripts_path}/adjust_permissions"],
}
} else {
File["incron_adjust_permissions_${name}"]{
ensure => 'absent',
}
$scripts_to_deploy = { 'adjust_permissions' => 'dirs',
'update_mode' => false,
'update_wordpress' => 'dirs',
'ssh_authorized_keys' => 'keys',
}
if ('update_wordpress' in $scripts) or ($scripts == 'ALL') {
file{
"${scripts_path}/update_wordpress":
ensure => directory,
owner => $sftp_user,
group => $web_group,
mode => '0600';
"${scripts_path}/update_wordpress/update_wordpress.dirs":
content => template('webhosting/user_scripts/update_wordpress/update_wordpress.dirs.erb'),
replace => false,
owner => $sftp_user,
group => $web_group,
mode => '0600';
}
File["incron_update_wordpress_${name}"] {
content => "${scripts_path}/update_wordpress/ IN_CREATE /opt/webhosting_user_scripts/common/run_incron.sh \$@ \$#\n",
owner => root,
group => 0,
mode => '0400',
require => File["${scripts_path}/update_wordpress"],
}
} else {
File["incron_update_wordpress_${name}"]{
ensure => 'absent',
$scripts_to_deploy.each |String $script_name, Variant[String, Boolean] $config_ext| {
if ($script_name in $scripts) or ($scripts == 'ALL') {
file{
"${scripts_path}/${script_name}":
ensure => directory,
owner => $sftp_user,
group => $web_group,
mode => '0600';
"incron_${script_name}_${name}":
path => "/etc/incron.d/${name}_${script_name}",
content => "${scripts_path}/${script_name}/ IN_CREATE /opt/webhosting_user_scripts/common/run_incron.sh \$@ \$#\n",
owner => root,
group => 0,
mode => '0400',
require => File["${scripts_path}/${script_name}"];
}
if $config_ext {
file{
"${scripts_path}/${script_name}/${script_name}.${config_ext}":
content => template("webhosting/user_scripts/${script_name}/${script_name}.${config_ext}.erb"),
replace => false,
owner => $sftp_user,
group => $web_group,
mode => '0600';
}
}
}
}
if ('update_mode' in $scripts) or ($scripts == 'ALL') {
file{
"${scripts_path}/update_mode":
ensure => directory,
owner => $sftp_user,
group => $web_group,
mode => '0600';
}
File["incron_update_mode_${name}"] {
content => "${scripts_path}/update_mode/ IN_CREATE /opt/webhosting_user_scripts/common/run_incron.sh \$@ \$#\n",
owner => root,
if ('ssh_authorized_keys' in $scripts) or ($scripts == 'ALL') {
file{"/var/www/ssh_authorized_keys/${sftp_user}":
content => template('webhosting/user_scripts/ssh_authorized_keys/ssh_authorized_keys.keys.erb'),
replace => false,
owner => $sftp_user,
group => 0,
mode => '0400',
require => File["${scripts_path}/update_mode"],
}
} else {
File["incron_update_mode_${name}"]{
ensure => 'absent',
mode => '0600',
seltype => 'ssh_home_t';
}
}
}
......
# deploy a script
define webhosting::user_scripts::script(){
file{
"/opt/webhosting_user_scripts/${name}":
ensure => directory,
owner => root,
group => 0,
mode => '0400';
"/opt/webhosting_user_scripts/${name}/${name}.rb":
source => "puppet:///modules/webhosting/user_scripts/${name}/${name}.rb",
owner => root,
group => 0,
mode => '0500';
}
}
# add the ssh public keys you want to add to your SFTP login
#
# The format is:
# key-type public_key
#
# Example:
# ssh-rsa AAAAmysuperkey
# ssh-ed25519 AAAAmyelipticcurvekey
#
# Notes:
# * The script will ignore empty lines, lines starting with a #
# and anything that does not match the above format
# * The script will remove any other key not listed in this file
<% Array(@user_scripts_options['ssh_authorized_keys']).each do |key|
if m = key.match(/^(ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519) ([A-Za-z0-9=\/\+]+)( )?/) -%>
<%= "#{m[1]} #{m[2]}" %>
<% end
end -%>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment