mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-09-22 04:42:02 +02:00
Code Issues

Restrict the users on mail.a.o to the passwd command

Browse Source 
The users are only meant as a way to change the mail password and
setting up forwarding (~/.forward), the latter will be handled by the
DevOps team now.
This commit is contained in:
Kristian Klausen 2021-07-09 00:08:48 +02:00
parent 4104404f2d
commit db2a1bf348
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/mail.archlinux.org.yml
View File

@ -15,7 +15,7 @@
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- { role: archusers }
- { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }

11
roles/archusers/templates/authorized_keys.j2
View File

@ -1,9 +1,16 @@
#jinja2: lstrip_blocks: True
{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}
{% set keys = [item.value.ssh_key] %}
{% if item.value.additional_ssh_keys is defined %}
{% for key in item.value.additional_ssh_keys %}
{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
{{ lookup('file', '../pubkeys/' + key.name) }}
{{- keys.append(key.name) -}}
{% endif %}
{% endfor %}
{% endif %}
{% for key in keys %}
{% if archusers_ssh_options is defined %}
{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
{% else %}
{{ lookup('file', '../pubkeys/' + key) }}
{% endif %}
{% endfor %}