initial commit with a working debian base and sssd working correctly

Signed-off-by: Brendan Golden <git_laptop@brendan.ie>
This commit is contained in:
silver 2024-01-24 16:56:57 +00:00
commit 4011c11acf
10 changed files with 463 additions and 0 deletions

48
.gitattributes vendored Normal file
View file

@ -0,0 +1,48 @@
# Git config here
* text eol=lf
#############################################
# Git lfs stuff
# Documents
*.pdf filter=lfs diff=lfs merge=lfs -text
*.doc filter=lfs diff=lfs merge=lfs -text
*.docx filter=lfs diff=lfs merge=lfs -text
# Excel
*.xls filter=lfs diff=lfs merge=lfs -text
*.xlsx filter=lfs diff=lfs merge=lfs -text
*.xlsm filter=lfs diff=lfs merge=lfs -text
# Powerpoints
*.ppt filter=lfs diff=lfs merge=lfs -text
*.pptx filter=lfs diff=lfs merge=lfs -text
# Images
*.png filter=lfs diff=lfs merge=lfs -text
*.jpg filter=lfs diff=lfs merge=lfs -text
# Video
*.mkv filter=lfs diff=lfs merge=lfs -text
*.mp4 filter=lfs diff=lfs merge=lfs -text
# Misc
*.zip filter=lfs diff=lfs merge=lfs -text
# ET4011
*.cbe filter=lfs diff=lfs merge=lfs -text
*.pbs filter=lfs diff=lfs merge=lfs -text
# Open/Libre office
# from https://www.libreoffice.org/discover/what-is-opendocument/
*.odt filter=lfs diff=lfs merge=lfs -text
*.ods filter=lfs diff=lfs merge=lfs -text
*.odp filter=lfs diff=lfs merge=lfs -text
*.odg filter=lfs diff=lfs merge=lfs -text

28
.gitignore vendored Normal file
View file

@ -0,0 +1,28 @@
# IDE folder
/.idea
# Microsoft office Lockfiles
~$*
*.tmp
# Test files
test.*
*.test.*
/test
# Output of compiling
/out
/build
/target
# Dealing with BlueJ
*.bluej
*.out
*.ctxt
# Dealing with Mac users
.DS_Store
# ignore any generated images
*.tar.xz
/images

3
Readme.md Normal file
View file

@ -0,0 +1,3 @@
# Skynet LXC Generator

117
base.yaml Normal file
View file

@ -0,0 +1,117 @@
image:
name: debian-disco-x86_64
distribution: debian
release: bookworm
description: |-
Debian {{ image.release }}
architecture: amd64
source:
downloader: debootstrap
url: http://ftp.debian.org/debian/
targets:
lxc:
create_message: |-
You just created an {{ image.description }} container.
To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
config:
- type: all
before: 5
content: |-
lxc.include = LXC_TEMPLATE_CONFIG/debian.common.conf
- type: user
before: 5
content: |-
lxc.include = LXC_TEMPLATE_CONFIG/debian.userns.conf
- type: all
after: 4
content: |-
lxc.include = LXC_TEMPLATE_CONFIG/common.conf
- type: user
after: 4
content: |-
lxc.include = LXC_TEMPLATE_CONFIG/userns.conf
- type: all
content: |-
lxc.arch = {{ image.architecture_personality }}
files:
- path: /etc/hostname
generator: hostname
- path: /etc/hosts
generator: hosts
- path: /etc/resolvconf/resolv.conf.d/original
generator: remove
- path: /etc/resolvconf/resolv.conf.d/tail
generator: remove
- path: /etc/machine-id
generator: dump
- path: /var/lib/dbus/machine-id
generator: remove
- path: /skynet/resolv.conf
generator: copy
source: ./files/resolv.conf
- path: /skynet/sshd_config
generator: copy
source: ./files/sshd_config
- path: /skynet/sssd.conf
generator: copy
source: ./files/sssd.conf_base
- path: /skynet/sudoers
generator: copy
source: ./files/sudoers_base
packages:
manager: apt
update: true
cleanup: true
sets:
- packages:
- openssh-client
- openssh-server
- sudo
action: install
# for the sshd/login
- packages:
- sssd
- libpam-sss
- libnss-sss
- sssd-tools
- libsss-sudo
action: install
actions:
- trigger: post-files
action: |-
#!/bin/sh
set -eux
cp /skynet/sshd_config /etc/ssh/sshd_config
cp /skynet/resolv.conf /etc/resolv.conf
cp /skynet/sssd.conf /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp /skynet/sudoers /etc/sudoers
chmod 440 /etc/sudoers

8
files/resolv.conf Normal file
View file

@ -0,0 +1,8 @@
# --- BEGIN PVE ---
search skynet.ie
nameserver 127.0.0.1
nameserver 10.220.1.10
nameserver 10.150.100.10
# --- END PVE ---
nameserver 193.1.99.120
nameserver 193.1.99.109

125
files/sshd_config Normal file
View file

@ -0,0 +1,125 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

38
files/sssd.conf Normal file
View file

@ -0,0 +1,38 @@
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://account.skynet.ie:389
ldap_search_base = dc=skynet,dc=ie
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))
ldap_group_search_base = ou=groups,dc=skynet,dc=ie
# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
ldap_sudo_search_base, cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie, cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie
ldap_group_nesting_level = 5
cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf
override_shell = /bin/bash
#ldap_library_debug_level = -1
ldap_scheme= rfc2307bis
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss]
# override_homedir = /home/%u
[pam]
[sudo]
[autofs]

37
files/sssd.conf_base Normal file
View file

@ -0,0 +1,37 @@
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://account.skynet.ie:389
ldap_search_base = dc=skynet,dc=ie
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie))
ldap_group_search_base = ou=groups,dc=skynet,dc=ie
ldap_sudo_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie))
ldap_group_nesting_level = 5
cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf
override_shell = /bin/bash
#ldap_library_debug_level = -1
#ldap_schema = rfc2307bis
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss]
# override_homedir = /home/%u
[pam]
[sudo]
[autofs]

50
files/sudoers_base Normal file
View file

@ -0,0 +1,50 @@
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults use_pty
# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%skynet-admins-linux ALL=(ALL:ALL) NOPASSWD: ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d

9
run.sh Executable file
View file

@ -0,0 +1,9 @@
# nix-shell -p lxc debootstrap distrobuilder
cp /etc/resolv.conf /etc/resolv.conf.bak
distrobuilder build-lxc base.yaml ./images/base
cp /etc/resolv.conf.bak /etc/resolv.conf