From 797eba3591e4ede5533cb0df9873a2d2db731605 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 4 Feb 2016 19:37:09 +0100
Subject: host: mark created files, generate ssh key file

---
 init-stockholm/host.py | 66 ++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 58 insertions(+), 8 deletions(-)

diff --git a/init-stockholm/host.py b/init-stockholm/host.py
index 37de06e..08e3c62 100644
--- a/init-stockholm/host.py
+++ b/init-stockholm/host.py
@@ -5,6 +5,9 @@ Options:
     --secrets-dir DIR       Path to secrets [Default: ~/secrets/]
     --stockholm-dir DIR     Path to stockholm [Default: ~/stockholm/]
     --username USER         Primary username of the new host [Default: $LOGNAME]
+
+    --create-ssh-keys       creates <secrets/ssh.id_$type> via ssh-keygen
+    --ssh-key-type TYPE     Type of the ssh key to generate [Default: ed25519]
     --create-passwords      creates <secrets/hashedPasswords.nix>, password input is interactive
 
 Tinc keys are stored in secrets-dir/HOSTNAME/retiolum.rsa_key.priv .
@@ -14,8 +17,15 @@ import sys
 import os
 from os.path import join as path_join,exists
 import logging as log
+from subprocess import Popen,PIPE
 log.basicConfig(level=log.DEBUG)
 
+# a list of all the files which have been created with this script
+created = []
+def mark(f):
+    log.info("created {}".format(f))
+    created.append(f)
+
 def retiolum_ip(hostname):
     """ warning this function actually writes stuff to the disk
     """
@@ -57,14 +67,21 @@ def write_stockholm_1systems(ret,stockholm_dir):
         device = "/dev/sda1";
     }};
 }}""".format(**ret))
+            mark(p)
 
 
 def print_stockholm_krebs_entry(ret):
+    if "ssh" in ret:
+        ret['ssh_entry'] = """
+ssh.privkey.path = <{key_file}>;
+ssh.pubkey = "{pubkey}";""".format(**ret['ssh'])
+    else:
+        ret['ssh_entry'] = ""
     print("""# this entry is autogenerated and can be added to
 #   stockholm/krebs/3modules/{username}/default.nix
 {hostname} = rec {{
     cores = 1;
-    dc = "none";
+    {ssh_entry}
     nets = {{
         retiolm = {{
             addrs4 = ["{v4}"];
@@ -85,12 +102,12 @@ def create_zhosts_file(ret,path):
         for i in ('v4','v6'):
             f.write("Subnet = {}\n".format(ret[i]))
         f.write(ret['pubkey'])
+    mark(path)
 
 def generate_tinc_keys(base):
     """ creates tinc public and private keys in `base`
         returns rsa public key
     """
-    from subprocess import Popen,PIPE
     import shutil
     from os import rmdir
     from tempfile import mkdtemp
@@ -99,15 +116,38 @@ def generate_tinc_keys(base):
     process.communicate()
     for i in ["ed25519_key.priv", "ed25519_key.pub",
               "rsa_key.priv","rsa_key.pub"]:
-        shutil.move(path_join(tmpdir,i),base+"."+i)
+        fname = base+"."+i
+        shutil.move(path_join(tmpdir,i),fname)
+        mark(fname)
     # should be empty now
     shutil.rmtree(tmpdir)
     with open(base+".rsa_key.pub") as pubfile:
         return pubfile.read()
 
+def generate_ssh_keys(secrets_dir,hostname,typ="ed25519"):
+    """creates a ssh public-private keypair in `base`"""
+    # default sshd format
+    key_file = "{}/ssh_host_{}_key".format(secrets_dir,typ)
+    pub_file = key_file+".pub"
+
+    if exists(key_file):
+        log.error("{} already exists".format(key_file))
+        log.error("Use another hostname or remove the folder to continue")
+        sys.exit(1)
+    Popen(["ssh-keygen","-C",hostname,
+                        "-t",typ,
+                        "-f",key_file,
+                        "-N",""]).communicate()
+    with open(pub_file) as f:
+        pubkey = f.read()
+    os.unlink(pub_file)
+    mark(key_file)
+    return { "pubkey": pubkey, "key_file": key_file }
+
 def prepare_secrets(sec):
     if not exists(sec):
         os.makedirs(sec,mode=488)
+        mark(sec)
         log.info("Creating {}".format(sec))
     else:
         log.error(" {} already exists".format(sec))
@@ -127,7 +167,8 @@ location via cli options (--help)")
 def create_passwords(sec,usernames):
     import crypt
     from getpass import getpass
-    with open(path_join(sec,"hashedPasswords.nix"),"w+") as f:
+    shadow = path_join(sec,"hashedPasswords.nix")
+    with open(shadow, "w+")as f:
         f.write("{\n")
         for usr in usernames:
             # TODO: do not block, set password via another channel
@@ -135,7 +176,8 @@ def create_passwords(sec,usernames):
             crypted = crypt.crypt(pw, crypt.mksalt(crypt.METHOD_SHA512))
             f.write('  {} = "{}";\n'.format(usr,crypted))
         f.write("}\n")
-
+    mark(shadow)
+    return shadow
 
 def main():
     from os.path import expanduser,expandvars
@@ -157,13 +199,21 @@ def main():
     # generate tinc keys, return pubkey
     retiolum = path_join(secrets_dir,hostname,"retiolum")
     ret['pubkey'] = generate_tinc_keys(retiolum)
-
     create_zhosts_file(ret,path_join(stockholm_dir,"krebs/Zhosts",hostname))
 
+    if args["--create-passwords"]:
+        ret['shadow'] = create_passwords(host_secrets,["root",username])
+
+    if args["--create-ssh-keys"]:
+        ret['ssh'] = generate_ssh_keys(path_join(secrets_dir,hostname),
+                                       hostname,
+                                       typ=args['--ssh-key-type'])
+
     write_stockholm_1systems(ret,stockholm_dir)
     print_stockholm_krebs_entry(ret)
-    if args["--create-passwords"]:
-        create_passwords(host_secrets,["root",username])
+
+    log.info("The following files have been created on your behalf:")
+    for f in created: log.info("    "+f)
 
 if __name__ == '__main__':
     main()
-- 
cgit v1.2.3