Foodoor-Systemd-Service; Paketinstaller fragt nach oben/unten

authentication user

.gitignore

@@ -0,0 +1 @@
+foodoord*.deb

README.md

@@ -1,33 +1,30 @@
-#foodoord
+# foodoord
 
 Das Schließsystem läuft auf einem RaspberryPi mit der Erweiterungsplatine "PiFaceDigitalIO". 
 
-##Software##
 
-###Installation###
+## Konfiguration
-<code>apt-get install python-pifacedigitalio </code>
 
-Um das Paket zu installieren muss die */etc/apt/sources.list* angepasst werden.
+Falls `/etc/foodoord.conf` nicht vorhanden ist:
 
-<code>deb http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
+* `mv /etc/foodoord.conf_example /etc/foodoord.conf`
 
-<code>deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
+1. Trage dort die API-Config für den Türstatus ein.
-
+2. Falls nicht schon beim Paketinstall geschehen, mit `systemctl enable --now foodoord@oben` oder `systemctl enable --now foodoord@unten` enablen und starten.
-Wer apt-get benutzt, kann den Raspbian Pubkey zum keyring hinzufügen.
-
-<code>wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -</code>
 
 
 
-###Dateiliste###
+## Software
+
+### Dateiliste
+
 Der Deamon besteht aus folgenden Dateien.
 
 * foodoor
 * foodoord
 * foodoord.conf
-* foodoord_initd
-* foodoor-ssh-wrapper
 * foodoor-update-keydb
+* foodoord@.service
 
 Zusätzlich sollte für das git-repo eine Config angelegt werden: 
 
@@ -42,30 +39,37 @@ Host git.chaospott.de
 Das IdentityFile ist der Deploy-SSH-Key, der im [Repo](https://git.chaospott.de/Chaospott/foodoor-keys) hinterlegt ist.
 
 
-##Schüssel
+## Schüssel
 
-###Schlüsselupdate
+### Schlüsselupdate
-<pre><code>foodoor-update-keydb
+
-</code></pre>
+`foodoor-update-keydb`
 Aktualisiert die die Schlüssel auf der Tür und baut die *Authorized_Keys* für die User *open* und *close*. Keys die nicht dem OpenSSH-Format mit 4096 bit entsprechen, werden ignoriert. Wenn das Script von Hand aufgerufen wird, werden die betroffenen Keys angezeigt. Über einen Cronjob werden die Keys alle **5 Min aktualisiert**.
 
-###Schlüsselformate###
+### Schlüsselformate
+
 Der foodoord akzeptiert nur Pub-Keys im *OpenSSH2-Format*. Keys lassen sich unter anderem mit OpenSSH oder PuTTygen erzeugen.
 
-###OpenSSH####
+### OpenSSH
+
+#### Keys generieren
+
+* Mit `ssh-keygen -b 4096` lassen sich Keys generieren.
+* `ssh-add $Pfad_zum_Key` fügt den Key dem ssh-Agent hinzu. Die Option `ssh-add -l` zeigt geladene Keys an.
+* `ssh-kegen -l -f $Pfad_zum_Key ` gibt den Fingerprint und andere Informationen zurück.
 
-####Keys generieren####
-* Mit <code>ssh-keygen -b 4096 </code> lassen sich Keys generieren.
-* <code>ssh-add $Pfad_zum_Key</code> fügt den Key dem ssh-Agent hinzu. Die Option <code>ssh-add -l</code> zeigt geladene Keys an.
-* <code>ssh-kegen -l -f $Pfad_zum_Key </code> gibt den Fingerprint und andere Informationen zurück.
 
 ####Keys konvertieren(PuTTy>OpenSSH):####
-* <code>ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub</code> liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
+
+* `ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub<` liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
+
 
 ###PuTTy###
+
 Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur OpenSSH-Keys genutzt werden.
 
 ###Keys generieren (OpenSSH-Format mit PuttyGen):###
+
 1. PuTTYgen öffnen
 2. Unten "Number of Bits in a generated Key:" 4096 eintippen
 3. "Generate" klicken um Key zu generieren
@@ -74,21 +78,28 @@ Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur Ope
 
 Es ist zu beachten, dass Putty den PrivateKey im Putty-Format benötigt! Das heißt, falls der generierte Key vor dem Export nicht gespeichert wurde, muss der private Key noch konvertiert werden, siehe nächster Punkt!
 
+
 ###Keys konvertieren(OpenSSH>PuTTy):###
+
 1. PuTTYgen öffnen
 2. "Load" drücken
 3. OpenSSH-Key auswählen
 4. "Save Private-Key" drücken
 5. Speichern
 
+
+
 ##Hardware
 
 ### Input:
+
 * ssh-login
 * Klingel
 * Statustaster
 
+
 ### Output:
+
 * Status LEDs
 * Summer
 * Keymatic

build-package

@@ -0,0 +1,3 @@
+#!/bin/bash
+VERSION=3.0.4
+dpkg-deb --root-owner-group -b debian foodoord_${VERSION}_all.deb 

debian/DEBIAN/control

@@ -0,0 +1,6 @@
+Package: foodoord
+Version: 3.0.4
+Maintainer: Bandie <bandie@chaospott.de>
+Architecture: all
+Description: Control the doors of the club, ja!
+Depends: dash, git, python3, pip, tmux

debian/DEBIAN/postinst

@@ -0,0 +1,35 @@
+#!/bin/bash
+echo "Creating group and users.."
+groupadd foodoor
+useradd -M -d /var/lib/foodoor/close -G foodoor -s /bin/sh close
+useradd -M -d /var/lib/foodoor/open -G foodoor -s /bin/sh open
+useradd -M -d /var/lib/foodoor/door -G foodoor -s /bin/sh door
+
+echo "Chown homes"
+for u in close open door; do
+  groupadd ${u}
+  chown ${u}:${u} /var/lib/foodoor/${u}
+done
+
+echo "Chmod foodoor"
+chmod 755 /var/lib/foodoor
+
+echo "Create /state"
+touch /state
+chown root:foodoor /state
+chmod 664 /state
+
+echo "##################"
+while [ "$prompt" != "oben" -a "$prompt" != "unten" ]; do
+ read -p "Sind wir oben oder unten? (oben, unten): " prompt
+done
+echo "##################"
+
+echo "Installing dependencies via pip: pifacecommon pifacedigitalio"
+pip install pifacecommon pifacedigitalio
+
+echo "Enabling and starting systemd-Services"
+systemctl daemon-reload
+systemctl enable foodoord@$prompt
+systemctl restart foodoord@$prompt
+systemctl status foodoord@$prompt

debian/etc/cron.d/foodoord

@@ -0,0 +1 @@
+*/5 * * * * root [ -x /usr/sbin/foodoor-update-keydb ] && /usr/sbin/foodoor-update-keydb >/dev/null 2>&1

debian/etc/systemd/system/foodoord@.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=foodoord %i
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/foodoord_%i
+Restart=on-failure
+RestartSec=5s
+
+
+[Install]
+WantedBy=multi-user.target
+

debian/usr/sbin/foodoor-update-keydb

@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+
+export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+
+dest=/var/run/foodoor-keys
+temp_outfile="$dest.tmp"
+
+
+if [ ! -e "${dest}/.git/config" ]
+then
+  #echo "Repo does not exist, trying to clone..."
+  ( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
+else
+  #echo "Repo exists, updating..."
+  ( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
+fi
+
+rm -f ${temp_outfile}
+  find "${dest}/keys" -name '*.pub' | sort | \
+    while read keyfile
+    do
+      ssh-keygen -l -f ${keyfile} &> /dev/null
+      if [ $? -eq 0 ]; then
+        valid=false
+        keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
+        crypto=$(echo "${keyinfo}" | sed 's/.*(\(.*\))/\1/') # Looks like "RSA" or "ED25519"
+        key_length=$(echo "${keyinfo}" | cut -d" " -f1) 
+
+        if [ "${crypto}" == "RSA" ]; then
+
+          if [ ${key_length} -lt 4096 ]; then
+            echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
+            continue
+          else
+            valid=true
+          fi
+
+        elif [ "${crypto}" == "ED25519" ]; then
+          valid=true
+        fi
+
+        if [ "$valid" = true ]; then
+          echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile} | sed 's/\r//g') ${keyfile}" >> ${temp_outfile}
+        fi
+      fi
+    done
+
+for appendix in open close door
+do
+    action="$appendix"
+    if [ "$appendix" = "door" ]; then
+      action=""
+    fi
+    export action
+
+    outfile="${dest}/authorized_keys.${appendix}"
+    cat ${temp_outfile} |envsubst > ${outfile}
+  
+    # Oben und unten
+    install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
+    install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
+done

foodoor-update-keydb

@@ -1,83 +0,0 @@
-#!/bin/bash
-set -e
-
-export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
-
-dest=/var/run/foodoor-keys
-temp_outfile="$dest.tmp"
-
-
-if [ ! -e "${dest}/.git/config" ]
-then
-	#echo "Repo does not exist, trying to clone..."
-	( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
-else
-	#echo "Repo exists, updating..."
-	( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
-fi
-
-rm -f ${temp_outfile}
-	find "${dest}/keys" -name '*.pub' | sort | \
-		while read keyfile
-		do
-			ssh-keygen -l -f ${keyfile} &> /dev/null
-			if [ $? -eq 0 ]; then
-				valid=false
-				keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
-				crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
-				key_length=$(echo "${keyinfo}" | cut -d" " -f1) 
-
-				if [ "${crypto}" == "(RSA)" ]; then
-
-					if [ ${key_length} -lt 4096 ]; then
-						echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
-						continue
-					else
-						valid=true
-					fi
-
-				elif [ "${crypto}" == "(ED25519)" ]; then
-					valid=true
-				fi
-
-				if [ "$valid" = true ]; then
-					echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile})" >> ${temp_outfile}
-				fi
-			fi
-		done
-
-for appendix in open close door
-do
-    action="$appendix"
-    if [ "$action" = "door" ]
-    then
-        action=""
-    fi
-    
-    export action
-    outfile="${dest}/authorized_keys.${appendix}"
-    cat ${temp_outfile} |envsubst > ${outfile}
-	
-    # Oben
-    if [ "$(hostname)" = "foodoor" ]; then
-      install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
-      install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
-    fi
-
-    # Unten
-    if [ "$(hostname)" = "kellertuer" ]; then
-      if [ "${action}" = "open" ]; then
-        owner="unlock"
-      elif [ "${action}" = "close" ]; then
-        owner="lock"
-      fi
-      install -d -o ${owner} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
-      install -b -S .last -o ${owner} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
-      if [ "${appendix}" = "door" ]; then
-        install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
-        install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
-      fi
-
-    fi
-
-done

foodoord_initd

@@ -1,155 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          foodoor
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: foodoor initscript
-# Description:       Daemon to lock and unlock the foodoor
-### END INIT INFO
-
-# Author: gammlaa <gammlaa@die-foobar.de>
-
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="foodoor daemon"
-NAME=foodoord
-DAEMON=/usr/sbin/$NAME
-#DAEMON_ARGS="--options args"
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/$NAME
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name python2
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-: