summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-02-04 19:37:09 +0100
committermakefu <github@syntax-fehler.de>2016-02-04 19:37:09 +0100
commit797eba3591e4ede5533cb0df9873a2d2db731605 (patch)
treef431cb875f3bacefd8041cd1aedd3100ef414ac9
parentf90239248b804751ac49d743cec75f46148c9605 (diff)
host: mark created files, generate ssh key file
-rw-r--r--init-stockholm/host.py66
1 files changed, 58 insertions, 8 deletions
diff --git a/init-stockholm/host.py b/init-stockholm/host.py
index 37de06e..08e3c62 100644
--- a/init-stockholm/host.py
+++ b/init-stockholm/host.py
@@ -5,6 +5,9 @@ Options:
--secrets-dir DIR Path to secrets [Default: ~/secrets/]
--stockholm-dir DIR Path to stockholm [Default: ~/stockholm/]
--username USER Primary username of the new host [Default: $LOGNAME]
+
+ --create-ssh-keys creates <secrets/ssh.id_$type> via ssh-keygen
+ --ssh-key-type TYPE Type of the ssh key to generate [Default: ed25519]
--create-passwords creates <secrets/hashedPasswords.nix>, password input is interactive
Tinc keys are stored in secrets-dir/HOSTNAME/retiolum.rsa_key.priv .
@@ -14,8 +17,15 @@ import sys
import os
from os.path import join as path_join,exists
import logging as log
+from subprocess import Popen,PIPE
log.basicConfig(level=log.DEBUG)
+# a list of all the files which have been created with this script
+created = []
+def mark(f):
+ log.info("created {}".format(f))
+ created.append(f)
+
def retiolum_ip(hostname):
""" warning this function actually writes stuff to the disk
"""
@@ -57,14 +67,21 @@ def write_stockholm_1systems(ret,stockholm_dir):
device = "/dev/sda1";
}};
}}""".format(**ret))
+ mark(p)
def print_stockholm_krebs_entry(ret):
+ if "ssh" in ret:
+ ret['ssh_entry'] = """
+ssh.privkey.path = <{key_file}>;
+ssh.pubkey = "{pubkey}";""".format(**ret['ssh'])
+ else:
+ ret['ssh_entry'] = ""
print("""# this entry is autogenerated and can be added to
# stockholm/krebs/3modules/{username}/default.nix
{hostname} = rec {{
cores = 1;
- dc = "none";
+ {ssh_entry}
nets = {{
retiolm = {{
addrs4 = ["{v4}"];
@@ -85,12 +102,12 @@ def create_zhosts_file(ret,path):
for i in ('v4','v6'):
f.write("Subnet = {}\n".format(ret[i]))
f.write(ret['pubkey'])
+ mark(path)
def generate_tinc_keys(base):
""" creates tinc public and private keys in `base`
returns rsa public key
"""
- from subprocess import Popen,PIPE
import shutil
from os import rmdir
from tempfile import mkdtemp
@@ -99,15 +116,38 @@ def generate_tinc_keys(base):
process.communicate()
for i in ["ed25519_key.priv", "ed25519_key.pub",
"rsa_key.priv","rsa_key.pub"]:
- shutil.move(path_join(tmpdir,i),base+"."+i)
+ fname = base+"."+i
+ shutil.move(path_join(tmpdir,i),fname)
+ mark(fname)
# should be empty now
shutil.rmtree(tmpdir)
with open(base+".rsa_key.pub") as pubfile:
return pubfile.read()
+def generate_ssh_keys(secrets_dir,hostname,typ="ed25519"):
+ """creates a ssh public-private keypair in `base`"""
+ # default sshd format
+ key_file = "{}/ssh_host_{}_key".format(secrets_dir,typ)
+ pub_file = key_file+".pub"
+
+ if exists(key_file):
+ log.error("{} already exists".format(key_file))
+ log.error("Use another hostname or remove the folder to continue")
+ sys.exit(1)
+ Popen(["ssh-keygen","-C",hostname,
+ "-t",typ,
+ "-f",key_file,
+ "-N",""]).communicate()
+ with open(pub_file) as f:
+ pubkey = f.read()
+ os.unlink(pub_file)
+ mark(key_file)
+ return { "pubkey": pubkey, "key_file": key_file }
+
def prepare_secrets(sec):
if not exists(sec):
os.makedirs(sec,mode=488)
+ mark(sec)
log.info("Creating {}".format(sec))
else:
log.error(" {} already exists".format(sec))
@@ -127,7 +167,8 @@ location via cli options (--help)")
def create_passwords(sec,usernames):
import crypt
from getpass import getpass
- with open(path_join(sec,"hashedPasswords.nix"),"w+") as f:
+ shadow = path_join(sec,"hashedPasswords.nix")
+ with open(shadow, "w+")as f:
f.write("{\n")
for usr in usernames:
# TODO: do not block, set password via another channel
@@ -135,7 +176,8 @@ def create_passwords(sec,usernames):
crypted = crypt.crypt(pw, crypt.mksalt(crypt.METHOD_SHA512))
f.write(' {} = "{}";\n'.format(usr,crypted))
f.write("}\n")
-
+ mark(shadow)
+ return shadow
def main():
from os.path import expanduser,expandvars
@@ -157,13 +199,21 @@ def main():
# generate tinc keys, return pubkey
retiolum = path_join(secrets_dir,hostname,"retiolum")
ret['pubkey'] = generate_tinc_keys(retiolum)
-
create_zhosts_file(ret,path_join(stockholm_dir,"krebs/Zhosts",hostname))
+ if args["--create-passwords"]:
+ ret['shadow'] = create_passwords(host_secrets,["root",username])
+
+ if args["--create-ssh-keys"]:
+ ret['ssh'] = generate_ssh_keys(path_join(secrets_dir,hostname),
+ hostname,
+ typ=args['--ssh-key-type'])
+
write_stockholm_1systems(ret,stockholm_dir)
print_stockholm_krebs_entry(ret)
- if args["--create-passwords"]:
- create_passwords(host_secrets,["root",username])
+
+ log.info("The following files have been created on your behalf:")
+ for f in created: log.info(" "+f)
if __name__ == '__main__':
main()