diff options
| -rwxr-xr-x | authorized_keys.sh | 3 | ||||
| -rwxr-xr-x | autopeer_shell.py | 6 | ||||
| -rw-r--r-- | config.py | 2 | ||||
| -rwxr-xr-x | cronjob.py | 4 | ||||
| -rw-r--r-- | install.sh | 2 | ||||
| -rw-r--r-- | lib_autopeer.py | 2 | ||||
| -rw-r--r-- | sshd_config | 4 |
7 files changed, 13 insertions, 10 deletions
diff --git a/authorized_keys.sh b/authorized_keys.sh index 867d153..1ee9f73 100755 --- a/authorized_keys.sh +++ b/authorized_keys.sh @@ -6,9 +6,10 @@ user="$1" if [ "$1" = "new" ]; then type="$2" key="$3" + connection="$4" if user="$(grep -l -s -r -P '^\s*auth:\s*\Q'"$type"'\E\s+\Q'"$key"'\E$' /opt/autopeer/dn42-registry/data/mntner/ | perl -ne 's@^.*/@@; s@-MNT$@@; print lc;' | head -1)"; then perl -ne 'print if s@^\s*auth:\s*ssh-@restrict,pty ssh-@' </opt/autopeer/dn42-registry/data/mntner/"$(echo "$user" | perl -ne 's@$@-MNT@; print uc;')" - /usr/sbin/adduser --disabled-password --quiet --comment "created at $(date +%s) by $key" --ingroup autopeer "$user" + /usr/sbin/adduser --disabled-password --quiet --comment "created at $(date +%s) by $key $connection" --ingroup autopeer "$user" fi else # not new user perl -ne 'print if s@^\s*auth:\s*ssh-@restrict,pty ssh-@' </opt/autopeer/dn42-registry/data/mntner/"$(echo "$user" | perl -ne 's@$@-MNT@; print uc;')" diff --git a/autopeer_shell.py b/autopeer_shell.py index d981676..6b31ecb 100755 --- a/autopeer_shell.py +++ b/autopeer_shell.py @@ -29,9 +29,11 @@ def as_from_user(which=None): else: print(f"oops, something went wrong getting your ASes, specifically: {filename}", file=sys.stderr) - if which is None: + if MY_ASN in user_ases and which: # allow owner to operate as anyone + return which + elif which is None: # at startup, use the first found return user_ases[0] - elif which in user_ases: + elif which in user_ases: # if the user picked an AS in their list return which else: raise Exception('not yours') @@ -1,4 +1,4 @@ -MY_ASN = '4242422452' +MY_ASN = 4242422452 MY_IPLL = 'fe80::800:8135' import socket MY_ENDPOINT = socket.getfqdn() @@ -10,11 +10,11 @@ while row := curs.fetchone(): name, asn = row print(f'Processing {asn}-{name}...') birdcfg = open(f'/etc/bird/peers/as{asn}{name}.conf', 'w') - wgcfg = open(f'/etc/wireguard/wg{asn%10000}{name}.conf', 'w') + wgcfg = open(f'/etc/wireguard/wg{asn%10000:04}{name}.conf', 'w') print(_bird_config(name, _get_peer_info(name, asn), _get_my_info(asn)), file=birdcfg) print(_wg_config(name, _get_peer_info(name, asn), _get_my_info(asn)), file=wgcfg) birdcfg.close() wgcfg.close() - os.system(f'systemctl enable --now wg-quick@wg-{asn}-{name}') + os.system(f'systemctl enable --now wg-quick@wg{asn%10000:04}{name}') os.system('birdc configure') @@ -11,7 +11,7 @@ addgroup autopeer adduser --disabled-password --comment '' new git -c core.sshcommand="ssh -i /opt/autopeer/id_autopeer" git clone git@git.dn42.dev:dn42/registry.git /opt/autopeer/dn42-registry -echo '47 * * * * root git -c core.sshcommand="ssh -i /opt/autopeer/id_autopeer" -C /opt/autopeer/dn42-registry pull' >>/etc/cron.d/autopeer +echo '47 * * * * root git -c merge.verifysignatures=false -c core.sshcommand="ssh -i /opt/autopeer/id_autopeer" -C /opt/autopeer/dn42-registry pull' >>/etc/cron.d/autopeer echo '*/5 * * * * root /opt/autopeer/cronjob.py' >>/etc/cron.d/autopeer mkdir /opt/autopeer/db diff --git a/lib_autopeer.py b/lib_autopeer.py index 283f71b..3d1652f 100644 --- a/lib_autopeer.py +++ b/lib_autopeer.py @@ -38,7 +38,7 @@ protocol bgp as{far_side.asn}{name} from dnpeers {{ import where dn42_import_filter({filter}); export where dn42_export_filter({filter}); }}; - interface "wg-{far_side.asn}-{name}"; + interface "wg{far_side.asn%10000:04}{name}"; }}; ''' diff --git a/sshd_config b/sshd_config index a6bf121..3b5e925 100644 --- a/sshd_config +++ b/sshd_config @@ -1,5 +1,5 @@ Match user new - AuthorizedKeysCommand /opt/autopeer/authorized_keys.sh %u %t %k + AuthorizedKeysCommand /opt/autopeer/authorized_keys.sh %u %t %k %C AuthorizedKeysCommandUser root AuthenticationMethods publickey AllowAgentForwarding no @@ -12,7 +12,7 @@ Match user new ForceCommand /opt/autopeer/new_user_created.sh Match group autopeer - AuthorizedKeysCommand /opt/autopeer/authorized_keys.sh %u %t %k + AuthorizedKeysCommand /opt/autopeer/authorized_keys.sh %u %t %k %C AuthorizedKeysCommandUser root AuthenticationMethods publickey AllowAgentForwarding no |