From 4011c11acf35340d274e1655a08941ac7f58a692 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 24 Jan 2024 16:56:57 +0000 Subject: [PATCH] initial commit with a working debian base and sssd working correctly Signed-off-by: Brendan Golden --- .gitattributes | 48 +++++++++++++++++ .gitignore | 28 ++++++++++ Readme.md | 3 ++ base.yaml | 117 ++++++++++++++++++++++++++++++++++++++++ files/resolv.conf | 8 +++ files/sshd_config | 125 +++++++++++++++++++++++++++++++++++++++++++ files/sssd.conf | 38 +++++++++++++ files/sssd.conf_base | 37 +++++++++++++ files/sudoers_base | 50 +++++++++++++++++ run.sh | 9 ++++ 10 files changed, 463 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 Readme.md create mode 100644 base.yaml create mode 100644 files/resolv.conf create mode 100644 files/sshd_config create mode 100644 files/sssd.conf create mode 100644 files/sssd.conf_base create mode 100644 files/sudoers_base create mode 100755 run.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..3da48a6 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,48 @@ +# Git config here +* text eol=lf + +############################################# +# Git lfs stuff + +# Documents +*.pdf filter=lfs diff=lfs merge=lfs -text +*.doc filter=lfs diff=lfs merge=lfs -text +*.docx filter=lfs diff=lfs merge=lfs -text + + +# Excel +*.xls filter=lfs diff=lfs merge=lfs -text +*.xlsx filter=lfs diff=lfs merge=lfs -text +*.xlsm filter=lfs diff=lfs merge=lfs -text + + +# Powerpoints +*.ppt filter=lfs diff=lfs merge=lfs -text +*.pptx filter=lfs diff=lfs merge=lfs -text + + +# Images +*.png filter=lfs diff=lfs merge=lfs -text +*.jpg filter=lfs diff=lfs merge=lfs -text + + +# Video +*.mkv filter=lfs diff=lfs merge=lfs -text +*.mp4 filter=lfs diff=lfs merge=lfs -text + + +# Misc +*.zip filter=lfs diff=lfs merge=lfs -text + + +# ET4011 +*.cbe filter=lfs diff=lfs merge=lfs -text +*.pbs filter=lfs diff=lfs merge=lfs -text + + +# Open/Libre office +# from https://www.libreoffice.org/discover/what-is-opendocument/ +*.odt filter=lfs diff=lfs merge=lfs -text +*.ods filter=lfs diff=lfs merge=lfs -text +*.odp filter=lfs diff=lfs merge=lfs -text +*.odg filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2cce281 --- /dev/null +++ b/.gitignore @@ -0,0 +1,28 @@ +# IDE folder +/.idea + +# Microsoft office Lockfiles +~$* +*.tmp + +# Test files +test.* +*.test.* +/test + +# Output of compiling +/out +/build +/target + +# Dealing with BlueJ +*.bluej +*.out +*.ctxt + +# Dealing with Mac users +.DS_Store + +# ignore any generated images +*.tar.xz +/images diff --git a/Readme.md b/Readme.md new file mode 100644 index 0000000..81f770a --- /dev/null +++ b/Readme.md @@ -0,0 +1,3 @@ +# Skynet LXC Generator + + diff --git a/base.yaml b/base.yaml new file mode 100644 index 0000000..3885be2 --- /dev/null +++ b/base.yaml @@ -0,0 +1,117 @@ +image: + name: debian-disco-x86_64 + distribution: debian + release: bookworm + description: |- + Debian {{ image.release }} + architecture: amd64 + +source: + downloader: debootstrap + url: http://ftp.debian.org/debian/ + +targets: + lxc: + create_message: |- + You just created an {{ image.description }} container. + + To enable SSH, run: apt install openssh-server + No default root or user password are set by LXC. + config: + - type: all + before: 5 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/debian.common.conf + + - type: user + before: 5 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/debian.userns.conf + + - type: all + after: 4 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/common.conf + + - type: user + after: 4 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/userns.conf + + - type: all + content: |- + lxc.arch = {{ image.architecture_personality }} + +files: +- path: /etc/hostname + generator: hostname + +- path: /etc/hosts + generator: hosts + +- path: /etc/resolvconf/resolv.conf.d/original + generator: remove + +- path: /etc/resolvconf/resolv.conf.d/tail + generator: remove + +- path: /etc/machine-id + generator: dump + +- path: /var/lib/dbus/machine-id + generator: remove + +- path: /skynet/resolv.conf + generator: copy + source: ./files/resolv.conf + +- path: /skynet/sshd_config + generator: copy + source: ./files/sshd_config + +- path: /skynet/sssd.conf + generator: copy + source: ./files/sssd.conf_base + +- path: /skynet/sudoers + generator: copy + source: ./files/sudoers_base + + +packages: + manager: apt + update: true + cleanup: true + sets: + - packages: + - openssh-client + - openssh-server + - sudo + action: install + + # for the sshd/login + - packages: + - sssd + - libpam-sss + - libnss-sss + - sssd-tools + - libsss-sudo + action: install + + +actions: +- trigger: post-files + action: |- + #!/bin/sh + set -eux + + cp /skynet/sshd_config /etc/ssh/sshd_config + + cp /skynet/resolv.conf /etc/resolv.conf + + cp /skynet/sssd.conf /etc/sssd/sssd.conf + chmod 600 /etc/sssd/sssd.conf + + cp /skynet/sudoers /etc/sudoers + chmod 440 /etc/sudoers + diff --git a/files/resolv.conf b/files/resolv.conf new file mode 100644 index 0000000..61e6455 --- /dev/null +++ b/files/resolv.conf @@ -0,0 +1,8 @@ +# --- BEGIN PVE --- +search skynet.ie +nameserver 127.0.0.1 +nameserver 10.220.1.10 +nameserver 10.150.100.10 +# --- END PVE --- +nameserver 193.1.99.120 +nameserver 193.1.99.109 diff --git a/files/sshd_config b/files/sshd_config new file mode 100644 index 0000000..36eed90 --- /dev/null +++ b/files/sshd_config @@ -0,0 +1,125 @@ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/files/sssd.conf b/files/sssd.conf new file mode 100644 index 0000000..404853c --- /dev/null +++ b/files/sssd.conf @@ -0,0 +1,38 @@ +[domain/skynet.ie] +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap + +ldap_uri = ldap://account.skynet.ie:389 + +ldap_search_base = dc=skynet,dc=ie +# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d +ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie)) +ldap_group_search_base = ou=groups,dc=skynet,dc=ie +# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US +ldap_sudo_search_base, cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie, cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie + +ldap_group_nesting_level = 5 + +cache_credentials = false +entry_cache_timeout = 1 + +ldap_user_member_of = skMemberOf + +override_shell = /bin/bash +#ldap_library_debug_level = -1 +ldap_scheme= rfc2307bis + +[sssd] +config_file_version = 2 +services = nss, pam, sudo, ssh +domains = skynet.ie + +[nss] +# override_homedir = /home/%u + +[pam] + +[sudo] + +[autofs] diff --git a/files/sssd.conf_base b/files/sssd.conf_base new file mode 100644 index 0000000..c7d3081 --- /dev/null +++ b/files/sssd.conf_base @@ -0,0 +1,37 @@ +[domain/skynet.ie] +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap + +ldap_uri = ldap://account.skynet.ie:389 + +ldap_search_base = dc=skynet,dc=ie +# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d +ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)) +ldap_group_search_base = ou=groups,dc=skynet,dc=ie +ldap_sudo_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)) + +ldap_group_nesting_level = 5 + +cache_credentials = false +entry_cache_timeout = 1 + +ldap_user_member_of = skMemberOf + +override_shell = /bin/bash +#ldap_library_debug_level = -1 +#ldap_schema = rfc2307bis + +[sssd] +config_file_version = 2 +services = nss, pam, sudo, ssh +domains = skynet.ie + +[nss] +# override_homedir = /home/%u + +[pam] + +[sudo] + +[autofs] diff --git a/files/sudoers_base b/files/sudoers_base new file mode 100644 index 0000000..90e808f --- /dev/null +++ b/files/sudoers_base @@ -0,0 +1,50 @@ +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu +# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) +Defaults use_pty + +# This preserves proxy settings from user environments of root +# equivalent users (group sudo) +#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" + +# This allows running arbitrary commands, but so does ALL, and it means +# different sudoers have their choice of editor respected. +#Defaults:%sudo env_keep += "EDITOR" + +# Completely harmless preservation of a user preference. +#Defaults:%sudo env_keep += "GREP_COLOR" + +# While you shouldn't normally run git as root, you need to with etckeeper +#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" + +# Per-user preferences; root won't have sensible values for them. +#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" + +# "sudo scp" or "sudo rsync" should be able to use your SSH agent. +#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + +# Ditto for GPG agent +#Defaults:%sudo env_keep += "GPG_AGENT_INFO" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL +%skynet-admins-linux ALL=(ALL:ALL) NOPASSWD: ALL + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..59ce264 --- /dev/null +++ b/run.sh @@ -0,0 +1,9 @@ +# nix-shell -p lxc debootstrap distrobuilder + +cp /etc/resolv.conf /etc/resolv.conf.bak + +distrobuilder build-lxc base.yaml ./images/base + + + +cp /etc/resolv.conf.bak /etc/resolv.conf