Compare commits

...

11 Commits
v2 ... master

Author SHA1 Message Date
Bandie bb8be95468
Foodoor-Systemd-Service; Paketinstaller fragt nach oben/unten 2022-11-01 18:56:45 +01:00
Bandie 0b34242781
v3.0.3 2022-07-13 19:18:55 +02:00
Bandie a4befbc911
Update-keydb with comments and better Algo check 2022-07-13 19:16:48 +02:00
Bandie 949fc2e4fb
v3.0.2 2022-07-02 15:16:15 +02:00
Bandie 940af82f84
Get rid of Mac-Newlines 2022-07-02 15:06:11 +02:00
Bandie 8c232699c3
Dependencies! 2022-04-16 18:32:47 +02:00
Bandie cb05047fed
Script-Bugfixes, init.d 2022-04-15 18:49:40 +02:00
Bandie f0baee2d91
Have more information about the conf file 2022-04-15 18:24:03 +02:00
Bandie 3eed323364
Debian-Packaging 2022-04-15 18:17:58 +02:00
Bandie ee44662cd3
I deleted too much!11!! 2022-04-11 19:29:50 +02:00
Bandie aacb9c9669
Coding-Style; First floor and basement are now the same with the
authentication user
2022-04-11 18:47:42 +02:00
14 changed files with 160 additions and 263 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
foodoord*.deb

View File

@ -1,33 +1,30 @@
#foodoord
# foodoord
Das Schließsystem läuft auf einem RaspberryPi mit der Erweiterungsplatine "PiFaceDigitalIO".
##Software##
###Installation###
<code>apt-get install python-pifacedigitalio </code>
## Konfiguration
Um das Paket zu installieren muss die */etc/apt/sources.list* angepasst werden.
Falls `/etc/foodoord.conf` nicht vorhanden ist:
<code>deb http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
* `mv /etc/foodoord.conf_example /etc/foodoord.conf`
<code>deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
Wer apt-get benutzt, kann den Raspbian Pubkey zum keyring hinzufügen.
<code>wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -</code>
1. Trage dort die API-Config für den Türstatus ein.
2. Falls nicht schon beim Paketinstall geschehen, mit `systemctl enable --now foodoord@oben` oder `systemctl enable --now foodoord@unten` enablen und starten.
###Dateiliste###
## Software
### Dateiliste
Der Deamon besteht aus folgenden Dateien.
* foodoor
* foodoord
* foodoord.conf
* foodoord_initd
* foodoor-ssh-wrapper
* foodoor-update-keydb
* foodoord@.service
Zusätzlich sollte für das git-repo eine Config angelegt werden:
@ -42,30 +39,37 @@ Host git.chaospott.de
Das IdentityFile ist der Deploy-SSH-Key, der im [Repo](https://git.chaospott.de/Chaospott/foodoor-keys) hinterlegt ist.
##Schüssel
## Schüssel
###Schlüsselupdate
<pre><code>foodoor-update-keydb
</code></pre>
### Schlüsselupdate
`foodoor-update-keydb`
Aktualisiert die die Schlüssel auf der Tür und baut die *Authorized_Keys* für die User *open* und *close*. Keys die nicht dem OpenSSH-Format mit 4096 bit entsprechen, werden ignoriert. Wenn das Script von Hand aufgerufen wird, werden die betroffenen Keys angezeigt. Über einen Cronjob werden die Keys alle **5 Min aktualisiert**.
###Schlüsselformate###
### Schlüsselformate
Der foodoord akzeptiert nur Pub-Keys im *OpenSSH2-Format*. Keys lassen sich unter anderem mit OpenSSH oder PuTTygen erzeugen.
###OpenSSH####
### OpenSSH
#### Keys generieren
* Mit `ssh-keygen -b 4096` lassen sich Keys generieren.
* `ssh-add $Pfad_zum_Key` fügt den Key dem ssh-Agent hinzu. Die Option `ssh-add -l` zeigt geladene Keys an.
* `ssh-kegen -l -f $Pfad_zum_Key ` gibt den Fingerprint und andere Informationen zurück.
####Keys generieren####
* Mit <code>ssh-keygen -b 4096 </code> lassen sich Keys generieren.
* <code>ssh-add $Pfad_zum_Key</code> fügt den Key dem ssh-Agent hinzu. Die Option <code>ssh-add -l</code> zeigt geladene Keys an.
* <code>ssh-kegen -l -f $Pfad_zum_Key </code> gibt den Fingerprint und andere Informationen zurück.
####Keys konvertieren(PuTTy>OpenSSH):####
* <code>ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub</code> liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
* `ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub<` liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
###PuTTy###
Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur OpenSSH-Keys genutzt werden.
###Keys generieren (OpenSSH-Format mit PuttyGen):###
1. PuTTYgen öffnen
2. Unten "Number of Bits in a generated Key:" 4096 eintippen
3. "Generate" klicken um Key zu generieren
@ -74,21 +78,28 @@ Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur Ope
Es ist zu beachten, dass Putty den PrivateKey im Putty-Format benötigt! Das heißt, falls der generierte Key vor dem Export nicht gespeichert wurde, muss der private Key noch konvertiert werden, siehe nächster Punkt!
###Keys konvertieren(OpenSSH>PuTTy):###
1. PuTTYgen öffnen
2. "Load" drücken
3. OpenSSH-Key auswählen
4. "Save Private-Key" drücken
5. Speichern
##Hardware
### Input:
* ssh-login
* Klingel
* Statustaster
### Output:
* Status LEDs
* Summer
* Keymatic

3
build-package Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
VERSION=3.0.4
dpkg-deb --root-owner-group -b debian foodoord_${VERSION}_all.deb

6
debian/DEBIAN/control vendored Executable file
View File

@ -0,0 +1,6 @@
Package: foodoord
Version: 3.0.4
Maintainer: Bandie <bandie@chaospott.de>
Architecture: all
Description: Control the doors of the club, ja!
Depends: dash, git, python3, pip, tmux

35
debian/DEBIAN/postinst vendored Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
echo "Creating group and users.."
groupadd foodoor
useradd -M -d /var/lib/foodoor/close -G foodoor -s /bin/sh close
useradd -M -d /var/lib/foodoor/open -G foodoor -s /bin/sh open
useradd -M -d /var/lib/foodoor/door -G foodoor -s /bin/sh door
echo "Chown homes"
for u in close open door; do
groupadd ${u}
chown ${u}:${u} /var/lib/foodoor/${u}
done
echo "Chmod foodoor"
chmod 755 /var/lib/foodoor
echo "Create /state"
touch /state
chown root:foodoor /state
chmod 664 /state
echo "##################"
while [ "$prompt" != "oben" -a "$prompt" != "unten" ]; do
read -p "Sind wir oben oder unten? (oben, unten): " prompt
done
echo "##################"
echo "Installing dependencies via pip: pifacecommon pifacedigitalio"
pip install pifacecommon pifacedigitalio
echo "Enabling and starting systemd-Services"
systemctl daemon-reload
systemctl enable foodoord@$prompt
systemctl restart foodoord@$prompt
systemctl status foodoord@$prompt

1
debian/etc/cron.d/foodoord vendored Executable file
View File

@ -0,0 +1 @@
*/5 * * * * root [ -x /usr/sbin/foodoor-update-keydb ] && /usr/sbin/foodoor-update-keydb >/dev/null 2>&1

0
foodoord.conf → debian/etc/foodoord.conf_example vendored Normal file → Executable file
View File

15
debian/etc/systemd/system/foodoord@.service vendored Executable file
View File

@ -0,0 +1,15 @@
[Unit]
Description=foodoord %i
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Type=simple
ExecStart=/usr/sbin/foodoord_%i
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target

View File

63
debian/usr/sbin/foodoor-update-keydb vendored Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
set -e
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
dest=/var/run/foodoor-keys
temp_outfile="$dest.tmp"
if [ ! -e "${dest}/.git/config" ]
then
#echo "Repo does not exist, trying to clone..."
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
else
#echo "Repo exists, updating..."
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
fi
rm -f ${temp_outfile}
find "${dest}/keys" -name '*.pub' | sort | \
while read keyfile
do
ssh-keygen -l -f ${keyfile} &> /dev/null
if [ $? -eq 0 ]; then
valid=false
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
crypto=$(echo "${keyinfo}" | sed 's/.*(\(.*\))/\1/') # Looks like "RSA" or "ED25519"
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
if [ "${crypto}" == "RSA" ]; then
if [ ${key_length} -lt 4096 ]; then
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
continue
else
valid=true
fi
elif [ "${crypto}" == "ED25519" ]; then
valid=true
fi
if [ "$valid" = true ]; then
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile} | sed 's/\r//g') ${keyfile}" >> ${temp_outfile}
fi
fi
done
for appendix in open close door
do
action="$appendix"
if [ "$appendix" = "door" ]; then
action=""
fi
export action
outfile="${dest}/authorized_keys.${appendix}"
cat ${temp_outfile} |envsubst > ${outfile}
# Oben und unten
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
done

View File

@ -1,83 +0,0 @@
#!/bin/bash
set -e
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
dest=/var/run/foodoor-keys
temp_outfile="$dest.tmp"
if [ ! -e "${dest}/.git/config" ]
then
#echo "Repo does not exist, trying to clone..."
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
else
#echo "Repo exists, updating..."
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
fi
rm -f ${temp_outfile}
find "${dest}/keys" -name '*.pub' | sort | \
while read keyfile
do
ssh-keygen -l -f ${keyfile} &> /dev/null
if [ $? -eq 0 ]; then
valid=false
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
if [ "${crypto}" == "(RSA)" ]; then
if [ ${key_length} -lt 4096 ]; then
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
continue
else
valid=true
fi
elif [ "${crypto}" == "(ED25519)" ]; then
valid=true
fi
if [ "$valid" = true ]; then
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile})" >> ${temp_outfile}
fi
fi
done
for appendix in open close door
do
action="$appendix"
if [ "$action" = "door" ]
then
action=""
fi
export action
outfile="${dest}/authorized_keys.${appendix}"
cat ${temp_outfile} |envsubst > ${outfile}
# Oben
if [ "$(hostname)" = "foodoor" ]; then
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
fi
# Unten
if [ "$(hostname)" = "kellertuer" ]; then
if [ "${action}" = "open" ]; then
owner="unlock"
elif [ "${action}" = "close" ]; then
owner="lock"
fi
install -d -o ${owner} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
install -b -S .last -o ${owner} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
if [ "${appendix}" = "door" ]; then
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
fi
fi
done

View File

@ -1,155 +0,0 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: foodoor
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: foodoor initscript
# Description: Daemon to lock and unlock the foodoor
### END INIT INFO
# Author: gammlaa <gammlaa@die-foobar.de>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="foodoor daemon"
NAME=foodoord
DAEMON=/usr/sbin/$NAME
#DAEMON_ARGS="--options args"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name python2
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
: