summaryrefslogtreecommitdiff
path: root/src/init
blob: 61ab8a1b4e5053e60f5ed3e8f1751a8bfa2d3126 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/usr/bin/env fish

#
#
# function definitions
#
#

set REPO_PERMISSIONS_FILE /etc/repo-permissions
set REPO_VALIDATION_REGEX "^((?:\/[a-zA-Z-]+)+.git)\$"

function createUser
	set -l userConfig (string split ':' $argv[1])
	set -l user $userConfig[1]
	set -l key $userConfig[2]
	echo "Setting up user: $user"
	if [ "$user" = git ]
		echo "Error: User git is reserved"
		return 1
	end

	set -l HOME "/home/$user"
	# user is not restricted, this is done in ssh config with forceCommand
	# we need to be able to run a fish script to check for permissions
	adduser --home $HOME -D "$user"
	# unlock account to allow ssh logins
	passwd -u "$user"
	mkdir "$HOME/.ssh"
	echo "$key" > "$HOME/.ssh/authorized_keys"
	chown -R $user "$HOME"
	chmod -R 700 "$HOME"
end

function setupRepo
	set -l repoConfig $argv[1]
	set -l parsedConfig (string split ':' $repoConfig)
	set -l repo $parsedConfig[1]

	# check repo name
	set -l matcher (string match -r -g $REPO_VALIDATION_REGEX $repo)
	if test -z $matcher[1]
		echo "Invalid repo name $repo"
		return 1
	end

	# we assume all repos to be in /srv/repos
	set -l repoDir srv repos
	set repoDir /(string join -n '/' $repoDir (string split '/' $repo))
	echo "Setting up repo: $repo"

	# write user as allowed into permission file
	for user in $parsedConfig[2..]
		echo "$repoDir:$user" >> $REPO_PERMISSIONS_FILE
	end

	# setup repo dir
	if not test -d $repoDir
		mkdir -p $repoDir
		git init --bare $repoDir -b trunk
	end
	chown -R git:git "$repoDir"
	chmod -R 700 "$repoDir"
end

#
#
# main
#
#

argparse 'g/git-uid=?' 'u/user=+' 'r/repo=+' 'h/help' -- $argv
or exit 1;

if set -q _flag_h
	echo "Usage: $(status filename) [ OPTIONS ]..."
	echo -e ""
	echo -e "OPTIONS"
	echo -e "\t -h, --help \t\t Display this page"
	echo -e "\t -g, --git-uid \t\t UID of the git user that is used also as ownership for all repos"
	echo -e "\t -u, --user \t\t User setting in form of <user-name>:<public-key>"
	echo -e "\t -r, --repo \t\t Repo setting in form of <repo-path>:<allowed-user1>. You can add as many users as you want. Currently if a user is allowed he has all permissions read/write"
	echo -e ""
	return
end

# read environment variables
set -l users $_flag_u
for user in (set -n | string match -r "^USER_\S+")
	set users $users (eval echo \$$user)
end

set -l repos $_flag_r
for repo in (set -n | string match -r "^REPO_\S+")
	set repos $repos (eval echo \$$repo)
end

if set -q $_flag_g
	set GIT_UID $_flag_g
end

# Setup users
# git user has read/write access to all repos, set git-shell
# and no password login allowed -> no ssh login possible
adduser git -u $GIT_UID -D --shell "/usr/bin/git-shell"
for userConfig in $users
	createUser "$userConfig"
end

# Setup repos
echo > $REPO_PERMISSIONS_FILE
for repoConfig in $repos
	setupRepo "$repoConfig"
end

echo "Setting up server"
# generate host keys in case
mkdir -p /var/ssh/etc/ssh/ && ssh-keygen -A -f /var/ssh
# run ssh daemon
/usr/sbin/sshd -D -e