From db2a1bf348b316265deef49daab9bcd16f552b1b Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Fri, 9 Jul 2021 00:08:48 +0200
Subject: [PATCH] Restrict the users on mail.a.o to the passwd command
The users are only meant as a way to change the mail password and
setting up forwarding (~/.forward), the latter will be handled by the
DevOps team now.
---
playbooks/mail.archlinux.org.yml | 2 +-
roles/archusers/templates/authorized_keys.j2 | 11 +++++++++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index 3055d8099..ee4dbc35f 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -15,7 +15,7 @@
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- - { role: archusers }
+ - { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
diff --git a/roles/archusers/templates/authorized_keys.j2 b/roles/archusers/templates/authorized_keys.j2
index 899175614..4908baf41 100644
--- a/roles/archusers/templates/authorized_keys.j2
+++ b/roles/archusers/templates/authorized_keys.j2
@@ -1,9 +1,16 @@
#jinja2: lstrip_blocks: True
-{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}
+{% set keys = [item.value.ssh_key] %}
{% if item.value.additional_ssh_keys is defined %}
{% for key in item.value.additional_ssh_keys %}
{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
-{{ lookup('file', '../pubkeys/' + key.name) }}
+ {{- keys.append(key.name) -}}
{% endif %}
{% endfor %}
{% endif %}
+{% for key in keys %}
+ {% if archusers_ssh_options is defined %}
+{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
+ {% else %}
+{{ lookup('file', '../pubkeys/' + key) }}
+ {% endif %}
+{% endfor %}
--
GitLab