setup an image for trainees to have access

Signed-off-by: Brendan Golden <git_laptop@brendan.ie>

base_trainee.yaml

@@ -0,0 +1,72 @@
+image:
+  name: debian-disco-x86_64
+  distribution: debian
+  release: bookworm
+  description: |-
+    Debian {{ image.release }}
+  architecture: amd64
+
+source:
+  downloader: rootfs-http
+  url: file://SKYNET_ROOT_DIR/images/base/rootfs.tar.xz
+
+targets:
+  lxc:
+    create_message: |-
+      You just created an {{ image.description }} container.
+
+      To enable SSH, run: apt install openssh-server
+      No default root or user password are set by LXC.
+    config:
+    - type: all
+      before: 5
+      content: |-
+        lxc.include = LXC_TEMPLATE_CONFIG/debian.common.conf
+
+    - type: user
+      before: 5
+      content: |-
+        lxc.include = LXC_TEMPLATE_CONFIG/debian.userns.conf
+
+    - type: all
+      after: 4
+      content: |-
+        lxc.include = LXC_TEMPLATE_CONFIG/common.conf
+
+    - type: user
+      after: 4
+      content: |-
+        lxc.include = LXC_TEMPLATE_CONFIG/userns.conf
+
+    - type: all
+      content: |-
+        lxc.arch = {{ image.architecture_personality }}
+
+files:
+- path: /skynet/sssd.conf
+  generator: copy
+  source: ./files/sssd.conf_trainee
+
+- path: /skynet/sudoers
+  generator: copy
+  source: ./files/sudoers_trainee
+
+packages:
+  manager: apt
+  update: true
+  cleanup: true
+  sets:
+
+
+actions:
+- trigger: post-files
+  action: |-
+    #!/bin/sh
+    set -eux
+
+    cp /skynet/sssd.conf /etc/sssd/sssd.conf
+    chmod 600 /etc/sssd/sssd.conf
+
+    cp /skynet/sudoers /etc/sudoers
+    chmod 440 /etc/sudoers
+

files/sssd.conf_trainee

@@ -0,0 +1,38 @@
+[domain/skynet.ie]
+id_provider = ldap
+auth_provider = ldap
+sudo_provider = ldap
+
+ldap_uri = ldap://account.skynet.ie:389
+
+ldap_search_base = dc=skynet,dc=ie
+# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
+ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie))
+ldap_group_search_base = ou=groups,dc=skynet,dc=ie
+# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US
+ldap_sudo_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie))
+
+ldap_group_nesting_level = 5
+
+cache_credentials = false
+entry_cache_timeout = 1
+
+ldap_user_member_of = skMemberOf
+
+override_shell = /bin/bash
+#ldap_library_debug_level = -1
+#ldap_schema = rfc2307bis
+
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo, ssh
+domains = skynet.ie
+
+[nss]
+# override_homedir = /home/%u
+
+[pam]
+
+[sudo]
+
+[autofs]

files/sudoers_trainee

@@ -0,0 +1,51 @@
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        mail_badpass
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
+# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
+Defaults        use_pty
+
+# This preserves proxy settings from user environments of root
+# equivalent users (group sudo)
+#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
+
+# This allows running arbitrary commands, but so does ALL, and it means
+# different sudoers have their choice of editor respected.
+#Defaults:%sudo env_keep += "EDITOR"
+
+# Completely harmless preservation of a user preference.
+#Defaults:%sudo env_keep += "GREP_COLOR"
+
+# While you shouldn't normally run git as root, you need to with etckeeper
+#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
+
+# Per-user preferences; root won't have sensible values for them.
+#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
+
+# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
+#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
+
+# Ditto for GPG agent
+#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo                   ALL=(ALL:ALL)           ALL
+%skynet-admins-linux    ALL=(ALL:ALL) NOPASSWD: ALL
+%skynet-trainees-linux  ALL=(ALL:ALL)           ALL
+
+# See sudoers(5) for more information on "@include" directives:
+
+@includedir /etc/sudoers.d

run.sh

@@ -1,9 +1,50 @@
 # nix-shell -p lxc debootstrap distrobuilder
 
-cp /etc/resolv.conf /etc/resolv.conf.bak
+function setup(){
+  cp /etc/resolv.conf /etc/resolv.conf.bak
+}
 
-distrobuilder build-lxc base.yaml ./images/base
+function cleanup(){
+  cp /etc/resolv.conf.bak /etc/resolv.conf
+
+  # reset permissions of output folder to the owner
+  local owner=$(ls -ld $PWD | awk '{print $3}')
+  local group=$(ls -ld $PWD | awk '{print $4}')
+
+  chown -R "$owner:$group" ./images
+}
 
 
+function build () {
+  local config="$1"
+  local location="$2"
 
-cp /etc/resolv.conf.bak /etc/resolv.conf
+  # file:// cannot have relative paths, so use a bit of subsitution to fix
+  if grep -q SKYNET_ROOT_DIR "$config"; then
+
+    # create a copy with the file
+    cp "$config" "$config.tmp"
+    # sed normally uses / but that conflcts with file paths so use @ instead
+    sed -i "s@SKYNET_ROOT_DIR@$PWD@g" "$config.tmp"
+
+    # normal command
+    distrobuilder build-lxc "$config.tmp" $location
+
+    # cleanup
+    rm "$config.tmp"
+  else
+    distrobuilder build-lxc $config $location
+  fi
+}
+
+function main(){
+  setup
+
+  build base.yaml ./images/base
+  build base_trainee.yaml ./images/base_trainee
+
+  cleanup
+}
+
+
+main