tenseleyflow/shithub / 1fa0aaa

Browse files

ansible(base): git user in shithub group + passwd -d to clear locked state

Authored by espadonne
SHA
1fa0aaa8df20cbb99ece04dbdfb49fdedd17895b
Parents
7d2210f
Tree
f3d74e3

1 changed file

StatusFile+-
M deploy/ansible/roles/base/tasks/main.yml 20 6
deploy/ansible/roles/base/tasks/main.ymlmodified
@@ -66,12 +66,19 @@
6666
     create_home: yes
6767
6868
 # The `git` user is the SSH login target sshd matches against in the
69
-# sshd_config Match-User-git block. Its shell can't be nologin (sshd
70
-# rejects), but the AuthorizedKeysCommand returns a key with a forced
71
-# `command=` prefix that overrides whatever a login shell would do.
72
-# /usr/bin/git-shell adds a second layer of constraint: even if the
73
-# AKC's command= is somehow bypassed, git-shell only allows git
74
-# commands.
69
+# sshd_config Match-User-git block. Three subtleties learned during
70
+# first-time enable:
71
+#
72
+#   1. Shell can't be nologin (sshd rejects) — git-shell is the right
73
+#      choice for defense-in-depth.
74
+#   2. `useradd --system` defaults to a LOCKED password (`!` in
75
+#      shadow); sshd refuses any auth (including pubkey) for locked
76
+#      accounts. `passwd -d` clears the password to NP (no password)
77
+#      which sshd accepts. With `PasswordAuthentication no` globally,
78
+#      no-password is fine — pubkey is the only path.
79
+#   3. ssh-shell (the AKC's forced command) needs to read
80
+#      /etc/shithub/web.env for SHITHUB_DATABASE_URL. Adding `git` to
81
+#      the `shithub` group + chmod g+r on web.env grants exactly that.
7582
 - name: Ensure git-shell is installed (provided by `git` package, already a dep)
7683
   command: which git-shell
7784
   register: git_shell
@@ -84,6 +91,13 @@
8491
     home: /var/lib/git
8592
     shell: "{{ git_shell.stdout }}"
8693
     create_home: yes
94
+    groups: ["{{ shithub_group }}"]
95
+    append: yes
96
+
97
+- name: System users — unlock git (sshd refuses locked accounts even for pubkey)
98
+  command: passwd -d git
99
+  register: passwd_d
100
+  changed_when: passwd_d.stdout is search('password changed')
87101
88102
 - name: Data root — create + own
89103
   file: