diff options
| -rw-r--r-- | README.md | 17 | ||||
| -rw-r--r-- | aur.py | 63 | ||||
| -rw-r--r-- | fs/etc/kanidm/config | 3 | ||||
| -rw-r--r-- | fs/etc/kanidm/unixd | 13 | ||||
| -rw-r--r-- | fs/etc/nsswitch.conf | 17 | ||||
| -rw-r--r-- | fs/etc/pam.d/system-auth | 28 | ||||
| -rw-r--r-- | fs/etc/ssh/sshd_config | 30 | ||||
| -rw-r--r-- | setup_kanidm.sh | 56 | ||||
| -rw-r--r-- | user_configuration.json | 15 |
9 files changed, 120 insertions, 122 deletions
@@ -1,19 +1,4 @@ ``` -sudo pacman -S base-devel - -cd /tmp -git clone https://github.com/archlinux/archinstall - -python3 -m venv .venv -source .venv/bin/activate -pip3 install . - -cd - - archinstall --config user_configration.json --plugin aur.py --verbose - +cp -r fs/etc/* /etc ``` - -1. fillout disk configuration -2. fillout disk encryption -3. fill out hostname @@ -11,12 +11,7 @@ __version__ = 0.4 SUDOERS_FMT = "etc/sudoers.d/{user}" -class PipelineStep: - def cleanup(self): - pass - - -class PackageClassifier(PipelineStep): +class PackageClassifier: def split(self, packages): aur, std = [], [] for pkg in packages: @@ -33,7 +28,7 @@ class PackageClassifier(PipelineStep): return std, aur -class UserManager(PipelineStep): +class UserManager: def __init__(self, user: str, mount_location: Path, installation): self.user = user self.mount_location = mount_location @@ -43,6 +38,12 @@ class UserManager(PipelineStep): def _run_chroot(self, command): return self.installation.arch_chroot(command, run_as=self.user) + def _sudoers(self): + return self.mount_location / f"etc/sudoers.d/{self.user}" + + def _home(self): + return self.mount_location / f"home/{self.user}" + def create(self): if self.user_created: return @@ -52,8 +53,7 @@ class UserManager(PipelineStep): ) self.installation.add_additional_packages(["fakeroot", "base-devel"]) - sudoers_path = self.mount_location / SUDOERS_FMT.format(user=self.user) - sudoers_path.write_text(f"{self.user} ALL=(ALL:ALL) NOPASSWD: ALL\n") + self._sudoers().write_text(f"{self.user} ALL=(ALL:ALL) NOPASSWD: ALL\n") password = archinstall.lib.models.users.Password(plaintext="somethingrandom") user = archinstall.lib.models.users.User( @@ -61,8 +61,7 @@ class UserManager(PipelineStep): ) self.installation.create_users([user]) - home_path = self.mount_location / "home" / self.user - home_path.mkdir(parents=True, exist_ok=True) + self._home().mkdir(parents=True, exist_ok=True) self.installation.arch_chroot( f"/usr/bin/chown {self.user}:{self.user} /home/{self.user}" ) @@ -81,14 +80,12 @@ class UserManager(PipelineStep): pass self.installation.arch_chroot(f"/usr/bin/userdel {self.user}") - shutil.rmtree(self.mount_location / f"home/{self.user}", ignore_errors=True) - (self.mount_location / SUDOERS_FMT.format(user=self.user)).unlink( - missing_ok=True - ) + shutil.rmtree(self._home(), ignore_errors=True) + self._sudoers.unlink(missing_ok=True) self.user_created = False -class PackageDownloader(PipelineStep): +class PackageDownloader: def __init__(self, user: str, mount_location: Path, installation): self.user = user self.mount_location = mount_location @@ -124,13 +121,8 @@ class PackageDownloader(PipelineStep): await asyncio.gather(*(sem_task(pkg) for pkg in packages)) - def cleanup(self): - for pkg in self.downloaded: - tar_path = self.mount_location / "home" / self.user / f"{pkg}.tar.gz" - tar_path.unlink(missing_ok=True) - -class PackageInstaller(PipelineStep): +class PackageInstaller: def __init__(self, user: str, mount_location: Path, installation): self.user = user self.mount_location = mount_location @@ -173,28 +165,12 @@ class PackageInstaller(PipelineStep): ) return -# packages = list(build_dir.glob("*.tar.zst")) -# if not packages: -# archinstall.log( -# f"No built packages found for {package}", level=logging.ERROR, fg="red" -# ) -# return -# -# self._run( -# f"/usr/bin/pacman --noconfirm -U /home/{self.user}/{package}/{packages[0].name}" -# ) -# self.installed.append(package) self.installed_dirs.append(build_dir) - def cleanup(self): - for build_dir in self.installed_dirs: - shutil.rmtree(build_dir, ignore_errors=True) - self.installed_dirs.clear() - class Plugin: def __init__(self): - self.user = os.getenv("AUR_USER", "aoffline_usr") + self.user = os.getenv("AUR_USER", "packagebuilder") self.lazy_initd = False def _lazy_init(self): @@ -210,11 +186,6 @@ class Plugin: ) self.lazy_initd = True - """ - TODO: - Use the nobody account to run makepkg. - Clone the AUR repo, chown it to nobody, then use sudo -u nobody makepkg to build it. - """ def on_pacstrap(self, packages: list[str]) -> list[str]: if not self.lazy_initd: self._lazy_init() @@ -224,12 +195,12 @@ class Plugin: return std self.usermgr.create() + asyncio.run(self.downloader.download(aur)) for pkg in self.downloader.downloaded: self.installer.install(pkg) - for step in reversed([self.installer, self.downloader, self.usermgr]): - step.cleanup() + self.usermgr.cleanup() return std diff --git a/fs/etc/kanidm/config b/fs/etc/kanidm/config new file mode 100644 index 0000000..c1d7951 --- /dev/null +++ b/fs/etc/kanidm/config @@ -0,0 +1,3 @@ +uri = "https://idm.liz.coffee" +verify_ca = true +verify_hostnames = true diff --git a/fs/etc/kanidm/unixd b/fs/etc/kanidm/unixd new file mode 100644 index 0000000..5a81dc3 --- /dev/null +++ b/fs/etc/kanidm/unixd @@ -0,0 +1,13 @@ +version = '2' + +default_shell = '/bin/zsh' + +home_attr = 'uuid' +home_alias = 'name' +home_prefix = '/home/' + +uid_attr_map = 'name' +gid_attr_mao = 'name' + +[kanidm] +pam_allowed_login_groups = ['unixers'] diff --git a/fs/etc/nsswitch.conf b/fs/etc/nsswitch.conf new file mode 100644 index 0000000..67c95b5 --- /dev/null +++ b/fs/etc/nsswitch.conf @@ -0,0 +1,17 @@ +passwd: kanidm files systemd +group: kanidm files systemd + +shadow: files systemd +gshadow: files systemd + +publickey: files + +hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns +networks: files + +protocols: files +services: files +ethers: files +rpc: files + +netgroup: files diff --git a/fs/etc/pam.d/system-auth b/fs/etc/pam.d/system-auth new file mode 100644 index 0000000..82b2f52 --- /dev/null +++ b/fs/etc/pam.d/system-auth @@ -0,0 +1,28 @@ +#%PAM-1.0 + +auth required pam_faillock.so preauth +auth sufficient pam_kanidm.so +-auth [success=2 default=ignore] pam_systemd_home.so +auth [success=1 default=bad] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc + +account sufficient pam_kanidm.so +-account [success=1 default=ignore] pam_systemd_home.so +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +password sufficient pam_kanidm.so +-password [success=1 default=ignore] pam_systemd_home.so +password required pam_unix.so try_first_pass shadow +password optional pam_permit.so + +-session optional pam_systemd_home.so +session required pam_limits.so +session required pam_unix.so +session optional pam_kanidm.so +session optional pam_permit.so + diff --git a/fs/etc/ssh/sshd_config b/fs/etc/ssh/sshd_config new file mode 100644 index 0000000..dec99a1 --- /dev/null +++ b/fs/etc/ssh/sshd_config @@ -0,0 +1,30 @@ +Include /etc/ssh/sshd_config.d/*.conf + +Port 22 + +PermitRootLogin no +PermitEmptyPasswords no +PasswordAuthentication no + +PubkeyAuthentication yes +UsePAM yes +AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u +AuthorizedKeysCommandUser nobody + +KbdInteractiveAuthentication no +GSSAPIAuthentication no +KerberosAuthentication no + +AllowAgentForwarding yes +X11Forwarding no + +PrintMotd no +PrintLastLog yes + +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server + +TCPKeepAlive yes +ClientAliveInterval 300 +ClientAliveCountMax 1 + diff --git a/setup_kanidm.sh b/setup_kanidm.sh deleted file mode 100644 index d6d50ab..0000000 --- a/setup_kanidm.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -UNIXERS_GROUP = {{ unixers }} - -/etc/kanidm/config -<<< -uri = "https://{{ idm_domain }}" -verify_ca = true -verify_hostnames = true ->>> - -/etc/kanidm/unixd -<<< -version = '2' - -default_shell = "/bin/zsh" - -home_attr = "uuid" -home_alias = "name" -home_prefix = "/home/" - -[kanidm] -pam_allowed_login_groups = ["{{ unixers }}"] - -[[kanidm.map_group]] -local = "admins" -with = "coffee_admins" ->>> - -/etc/sudo -<<< -%admins ALL=(ALL:ALL) ALL ->>> - -systemctl enable --now kanidm-unixd -systemctl enable --now kanidm-unixd-tasks - -add_line /etc/nsswitch.conf -<<< -passwd: kanidm files systemd -group: kanidm [SUCCESS=merge] files systemd ->>> - -add_line /etc/ssh/sshd_config.d/10-kanidm-keys.conf -<<< -PubkeyAuthentication yes -UsePAM yes - -Match Group {{ unixers_group }} - AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u - AuthorizedKeysCommandUser nobody ->>> - -# PAM -add_line /etc/pam.d/common-account -<<< diff --git a/user_configuration.json b/user_configuration.json index 08eb15d..7977fe3 100644 --- a/user_configuration.json +++ b/user_configuration.json @@ -79,7 +79,6 @@ "librewolf-bin", "mpv", "neovim", - "niri", "noto-fonts", "noto-fonts-emoji", "nvidia-open", @@ -91,10 +90,12 @@ "polkit", "polkit-kde-agent", "reflector", - "rustup", + "rust", + "sddm", "sshfs", "starship", "sudo", + "swayfx", "swaybg", "swayidle", "swaylock", @@ -133,13 +134,19 @@ "zsh-autosuggestions", "zsh-completions", "zsh-syntax-highlighting", - "ly", "mise", "mako" ], "parallel downloads": 3, "profile_config": null, - "services": ["bluetooth", "ly", "NetworkManager", "reflector", "polkit"], + "services": [ + "bluetooth", + "NetworkManager", + "reflector", + "polkit", + "kanidm-unixd", + "kanidm-unixd-tasks" + ], "swap": true, "timezone": "US/Pacific", "version": "2.8.3" |