summaryrefslogtreecommitdiff
path: root/src/init
blob: d02c19a1b6fb7ccd3e3063325b2e84591c539536 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/usr/bin/env fish

# load environment
source (dirname (status --current-filename))/env

#
#
# function definitions
#
#

function checkUser
	set -l user $argv[1]
	cat /etc/passwd | grep -q -E "^$user:"
	return $status
end

function createUser
	set -l userConfig (string split ':' $argv[1])
	set -l user $userConfig[1]
	set -l key $userConfig[2]
	checkUser "$user"; and return 0

	echo "Setting up user: $user"
	if [ "$user" = git ]
		echo "Error: User git is reserved"
		return 1
	end

	set -l HOME "/home/$user"
	# user is not restricted, this is done in ssh config with forceCommand
	# we need to be able to run a fish script to check for permissions
	adduser --home $HOME -D "$user"
	# add user to sudo group
	addgroup "$user" $_GIT_SUDO_GROUP
	# unlock account to allow ssh logins
	passwd -u "$user"
	mkdir "$HOME/.ssh"
	echo "$key" > "$HOME/.ssh/authorized_keys"
	chown -R $user "$HOME"
	chmod -R 700 "$HOME"
end

function setupGitUser
	checkUser "git"; and return 0
	echo "Setting up git user"
	# git user has read/write access to all repos, set git-shell
	# and no password login allowed -> no ssh login possible
	adduser git -u $GIT_UID -D --shell "/usr/bin/git-shell"
	# group that is allowed to sudo
	addgroup $_GIT_SUDO_GROUP
end

function setupRepo
	set -l repoConfig $argv[1]
	set -l parsedConfig (string split ':' $repoConfig)
	set -l repo $parsedConfig[1]

	# check repo name
	set -l matcher (string match -r -g "^$_REPO_VALIDATION_REGEX\$" $repo)
	if test -z $matcher[1]
		echo "Failed to setup repo, invalid path/name: $repo"
		return 1
	end

	# we assume all repos to be in /srv/repos
	set -l repoDir srv repos
	set repoDir /(string join -n '/' $repoDir (string split '/' $repo))
	echo "Setting up repo: $repo"

	# write user as allowed into permission file
	for user in $parsedConfig[2..]
		echo "$repoDir:$user" >> $_REPO_PERMISSIONS_FILE
	end

	# setup repo dir
	if not test -d $repoDir
		mkdir -p $repoDir
		git init --bare $repoDir -b trunk
	end
	chown -R git:git "$repoDir"
	chmod -R 700 "$repoDir"
end

function runSSHDaemon
	echo "Setting up server"
	
	# generate host keys in case
	mkdir -p /var/ssh/etc/ssh/ && ssh-keygen -A -f /var/ssh
	
	# run ssh daemon
	/usr/sbin/sshd -D -e
end

#
#
# main
#
#

argparse 'g/git-uid=?' 'u/user=+' 'r/repo=+' 'h/help' -- $argv
or exit 1;

if set -q _flag_h
	echo "Usage: $(status filename) [ OPTIONS ]..."
	echo -e ""
	echo -e "OPTIONS"
	echo -e "\t -h, --help \t\t Display this page"
	echo -e "\t -g, --git-uid \t\t UID of the git user that is used also as ownership for all repos"
	echo -e "\t -u, --user \t\t User setting in form of <user-name>:<public-key>"
	echo -e "\t -r, --repo \t\t Repo setting in form of <repo-path>:<allowed-user1>. You can add as many users as you want. Currently if a user is allowed he has all permissions read/write"
	echo -e ""
	return
end

# read variables
set -l users $_flag_u
for user in (set -n | string match -r "^USER_\S+")
	set users $users (eval echo \$$user)
end

set -l repos $_flag_r
for repo in (set -n | string match -r "^REPO_\S+")
	set repos $repos (eval echo \$$repo)
end

if set -q $_flag_g
	set GIT_UID $_flag_g
end

# Setup users
setupGitUser
for userConfig in $users
	createUser "$userConfig"
end

# Setup repos
echo > $_REPO_PERMISSIONS_FILE
for repoConfig in $repos
	setupRepo "$repoConfig"
end

# create writable log file for run script
touch $_LOG && chmod 777 $_LOG

runSSHDaemon