Compare commits
11 Commits
Author | SHA1 | Date | |
---|---|---|---|
bb8be95468 | |||
0b34242781 | |||
a4befbc911 | |||
949fc2e4fb | |||
940af82f84 | |||
8c232699c3 | |||
cb05047fed | |||
f0baee2d91 | |||
3eed323364 | |||
ee44662cd3 | |||
aacb9c9669 |
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
foodoord*.deb
|
55
README.md
55
README.md
|
@ -2,32 +2,29 @@
|
|||
|
||||
Das Schließsystem läuft auf einem RaspberryPi mit der Erweiterungsplatine "PiFaceDigitalIO".
|
||||
|
||||
##Software##
|
||||
|
||||
###Installation###
|
||||
<code>apt-get install python-pifacedigitalio </code>
|
||||
## Konfiguration
|
||||
|
||||
Um das Paket zu installieren muss die */etc/apt/sources.list* angepasst werden.
|
||||
Falls `/etc/foodoord.conf` nicht vorhanden ist:
|
||||
|
||||
<code>deb http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
|
||||
* `mv /etc/foodoord.conf_example /etc/foodoord.conf`
|
||||
|
||||
<code>deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
|
||||
|
||||
Wer apt-get benutzt, kann den Raspbian Pubkey zum keyring hinzufügen.
|
||||
|
||||
<code>wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -</code>
|
||||
1. Trage dort die API-Config für den Türstatus ein.
|
||||
2. Falls nicht schon beim Paketinstall geschehen, mit `systemctl enable --now foodoord@oben` oder `systemctl enable --now foodoord@unten` enablen und starten.
|
||||
|
||||
|
||||
|
||||
###Dateiliste###
|
||||
## Software
|
||||
|
||||
### Dateiliste
|
||||
|
||||
Der Deamon besteht aus folgenden Dateien.
|
||||
|
||||
* foodoor
|
||||
* foodoord
|
||||
* foodoord.conf
|
||||
* foodoord_initd
|
||||
* foodoor-ssh-wrapper
|
||||
* foodoor-update-keydb
|
||||
* foodoord@.service
|
||||
|
||||
Zusätzlich sollte für das git-repo eine Config angelegt werden:
|
||||
|
||||
|
@ -45,27 +42,34 @@ Das IdentityFile ist der Deploy-SSH-Key, der im [Repo](https://git.chaospott.de/
|
|||
## Schüssel
|
||||
|
||||
### Schlüsselupdate
|
||||
<pre><code>foodoor-update-keydb
|
||||
</code></pre>
|
||||
|
||||
`foodoor-update-keydb`
|
||||
Aktualisiert die die Schlüssel auf der Tür und baut die *Authorized_Keys* für die User *open* und *close*. Keys die nicht dem OpenSSH-Format mit 4096 bit entsprechen, werden ignoriert. Wenn das Script von Hand aufgerufen wird, werden die betroffenen Keys angezeigt. Über einen Cronjob werden die Keys alle **5 Min aktualisiert**.
|
||||
|
||||
###Schlüsselformate###
|
||||
### Schlüsselformate
|
||||
|
||||
Der foodoord akzeptiert nur Pub-Keys im *OpenSSH2-Format*. Keys lassen sich unter anderem mit OpenSSH oder PuTTygen erzeugen.
|
||||
|
||||
###OpenSSH####
|
||||
### OpenSSH
|
||||
|
||||
#### Keys generieren
|
||||
|
||||
* Mit `ssh-keygen -b 4096` lassen sich Keys generieren.
|
||||
* `ssh-add $Pfad_zum_Key` fügt den Key dem ssh-Agent hinzu. Die Option `ssh-add -l` zeigt geladene Keys an.
|
||||
* `ssh-kegen -l -f $Pfad_zum_Key ` gibt den Fingerprint und andere Informationen zurück.
|
||||
|
||||
####Keys generieren####
|
||||
* Mit <code>ssh-keygen -b 4096 </code> lassen sich Keys generieren.
|
||||
* <code>ssh-add $Pfad_zum_Key</code> fügt den Key dem ssh-Agent hinzu. Die Option <code>ssh-add -l</code> zeigt geladene Keys an.
|
||||
* <code>ssh-kegen -l -f $Pfad_zum_Key </code> gibt den Fingerprint und andere Informationen zurück.
|
||||
|
||||
####Keys konvertieren(PuTTy>OpenSSH):####
|
||||
* <code>ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub</code> liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
|
||||
|
||||
* `ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub<` liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
|
||||
|
||||
|
||||
###PuTTy###
|
||||
|
||||
Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur OpenSSH-Keys genutzt werden.
|
||||
|
||||
###Keys generieren (OpenSSH-Format mit PuttyGen):###
|
||||
|
||||
1. PuTTYgen öffnen
|
||||
2. Unten "Number of Bits in a generated Key:" 4096 eintippen
|
||||
3. "Generate" klicken um Key zu generieren
|
||||
|
@ -74,21 +78,28 @@ Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur Ope
|
|||
|
||||
Es ist zu beachten, dass Putty den PrivateKey im Putty-Format benötigt! Das heißt, falls der generierte Key vor dem Export nicht gespeichert wurde, muss der private Key noch konvertiert werden, siehe nächster Punkt!
|
||||
|
||||
|
||||
###Keys konvertieren(OpenSSH>PuTTy):###
|
||||
|
||||
1. PuTTYgen öffnen
|
||||
2. "Load" drücken
|
||||
3. OpenSSH-Key auswählen
|
||||
4. "Save Private-Key" drücken
|
||||
5. Speichern
|
||||
|
||||
|
||||
|
||||
##Hardware
|
||||
|
||||
### Input:
|
||||
|
||||
* ssh-login
|
||||
* Klingel
|
||||
* Statustaster
|
||||
|
||||
|
||||
### Output:
|
||||
|
||||
* Status LEDs
|
||||
* Summer
|
||||
* Keymatic
|
||||
|
|
3
build-package
Executable file
3
build-package
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
VERSION=3.0.4
|
||||
dpkg-deb --root-owner-group -b debian foodoord_${VERSION}_all.deb
|
6
debian/DEBIAN/control
vendored
Executable file
6
debian/DEBIAN/control
vendored
Executable file
|
@ -0,0 +1,6 @@
|
|||
Package: foodoord
|
||||
Version: 3.0.4
|
||||
Maintainer: Bandie <bandie@chaospott.de>
|
||||
Architecture: all
|
||||
Description: Control the doors of the club, ja!
|
||||
Depends: dash, git, python3, pip, tmux
|
35
debian/DEBIAN/postinst
vendored
Executable file
35
debian/DEBIAN/postinst
vendored
Executable file
|
@ -0,0 +1,35 @@
|
|||
#!/bin/bash
|
||||
echo "Creating group and users.."
|
||||
groupadd foodoor
|
||||
useradd -M -d /var/lib/foodoor/close -G foodoor -s /bin/sh close
|
||||
useradd -M -d /var/lib/foodoor/open -G foodoor -s /bin/sh open
|
||||
useradd -M -d /var/lib/foodoor/door -G foodoor -s /bin/sh door
|
||||
|
||||
echo "Chown homes"
|
||||
for u in close open door; do
|
||||
groupadd ${u}
|
||||
chown ${u}:${u} /var/lib/foodoor/${u}
|
||||
done
|
||||
|
||||
echo "Chmod foodoor"
|
||||
chmod 755 /var/lib/foodoor
|
||||
|
||||
echo "Create /state"
|
||||
touch /state
|
||||
chown root:foodoor /state
|
||||
chmod 664 /state
|
||||
|
||||
echo "##################"
|
||||
while [ "$prompt" != "oben" -a "$prompt" != "unten" ]; do
|
||||
read -p "Sind wir oben oder unten? (oben, unten): " prompt
|
||||
done
|
||||
echo "##################"
|
||||
|
||||
echo "Installing dependencies via pip: pifacecommon pifacedigitalio"
|
||||
pip install pifacecommon pifacedigitalio
|
||||
|
||||
echo "Enabling and starting systemd-Services"
|
||||
systemctl daemon-reload
|
||||
systemctl enable foodoord@$prompt
|
||||
systemctl restart foodoord@$prompt
|
||||
systemctl status foodoord@$prompt
|
1
debian/etc/cron.d/foodoord
vendored
Executable file
1
debian/etc/cron.d/foodoord
vendored
Executable file
|
@ -0,0 +1 @@
|
|||
*/5 * * * * root [ -x /usr/sbin/foodoor-update-keydb ] && /usr/sbin/foodoor-update-keydb >/dev/null 2>&1
|
0
foodoord.conf → debian/etc/foodoord.conf_example
vendored
Normal file → Executable file
0
foodoord.conf → debian/etc/foodoord.conf_example
vendored
Normal file → Executable file
15
debian/etc/systemd/system/foodoord@.service
vendored
Executable file
15
debian/etc/systemd/system/foodoord@.service
vendored
Executable file
|
@ -0,0 +1,15 @@
|
|||
[Unit]
|
||||
Description=foodoord %i
|
||||
After=network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/sbin/foodoord_%i
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
0
foodoor → debian/usr/sbin/foodoor
vendored
0
foodoor → debian/usr/sbin/foodoor
vendored
63
debian/usr/sbin/foodoor-update-keydb
vendored
Executable file
63
debian/usr/sbin/foodoor-update-keydb
vendored
Executable file
|
@ -0,0 +1,63 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
|
||||
|
||||
dest=/var/run/foodoor-keys
|
||||
temp_outfile="$dest.tmp"
|
||||
|
||||
|
||||
if [ ! -e "${dest}/.git/config" ]
|
||||
then
|
||||
#echo "Repo does not exist, trying to clone..."
|
||||
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
|
||||
else
|
||||
#echo "Repo exists, updating..."
|
||||
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
|
||||
fi
|
||||
|
||||
rm -f ${temp_outfile}
|
||||
find "${dest}/keys" -name '*.pub' | sort | \
|
||||
while read keyfile
|
||||
do
|
||||
ssh-keygen -l -f ${keyfile} &> /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
valid=false
|
||||
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
|
||||
crypto=$(echo "${keyinfo}" | sed 's/.*(\(.*\))/\1/') # Looks like "RSA" or "ED25519"
|
||||
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
|
||||
|
||||
if [ "${crypto}" == "RSA" ]; then
|
||||
|
||||
if [ ${key_length} -lt 4096 ]; then
|
||||
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
|
||||
continue
|
||||
else
|
||||
valid=true
|
||||
fi
|
||||
|
||||
elif [ "${crypto}" == "ED25519" ]; then
|
||||
valid=true
|
||||
fi
|
||||
|
||||
if [ "$valid" = true ]; then
|
||||
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile} | sed 's/\r//g') ${keyfile}" >> ${temp_outfile}
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for appendix in open close door
|
||||
do
|
||||
action="$appendix"
|
||||
if [ "$appendix" = "door" ]; then
|
||||
action=""
|
||||
fi
|
||||
export action
|
||||
|
||||
outfile="${dest}/authorized_keys.${appendix}"
|
||||
cat ${temp_outfile} |envsubst > ${outfile}
|
||||
|
||||
# Oben und unten
|
||||
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
|
||||
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
|
||||
done
|
|
@ -1,83 +0,0 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
|
||||
|
||||
dest=/var/run/foodoor-keys
|
||||
temp_outfile="$dest.tmp"
|
||||
|
||||
|
||||
if [ ! -e "${dest}/.git/config" ]
|
||||
then
|
||||
#echo "Repo does not exist, trying to clone..."
|
||||
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
|
||||
else
|
||||
#echo "Repo exists, updating..."
|
||||
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
|
||||
fi
|
||||
|
||||
rm -f ${temp_outfile}
|
||||
find "${dest}/keys" -name '*.pub' | sort | \
|
||||
while read keyfile
|
||||
do
|
||||
ssh-keygen -l -f ${keyfile} &> /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
valid=false
|
||||
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
|
||||
crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
|
||||
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
|
||||
|
||||
if [ "${crypto}" == "(RSA)" ]; then
|
||||
|
||||
if [ ${key_length} -lt 4096 ]; then
|
||||
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
|
||||
continue
|
||||
else
|
||||
valid=true
|
||||
fi
|
||||
|
||||
elif [ "${crypto}" == "(ED25519)" ]; then
|
||||
valid=true
|
||||
fi
|
||||
|
||||
if [ "$valid" = true ]; then
|
||||
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile})" >> ${temp_outfile}
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for appendix in open close door
|
||||
do
|
||||
action="$appendix"
|
||||
if [ "$action" = "door" ]
|
||||
then
|
||||
action=""
|
||||
fi
|
||||
|
||||
export action
|
||||
outfile="${dest}/authorized_keys.${appendix}"
|
||||
cat ${temp_outfile} |envsubst > ${outfile}
|
||||
|
||||
# Oben
|
||||
if [ "$(hostname)" = "foodoor" ]; then
|
||||
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
|
||||
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
# Unten
|
||||
if [ "$(hostname)" = "kellertuer" ]; then
|
||||
if [ "${action}" = "open" ]; then
|
||||
owner="unlock"
|
||||
elif [ "${action}" = "close" ]; then
|
||||
owner="lock"
|
||||
fi
|
||||
install -d -o ${owner} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
|
||||
install -b -S .last -o ${owner} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
|
||||
if [ "${appendix}" = "door" ]; then
|
||||
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
|
||||
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
done
|
155
foodoord_initd
155
foodoord_initd
|
@ -1,155 +0,0 @@
|
|||
#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: foodoor
|
||||
# Required-Start: $remote_fs $syslog
|
||||
# Required-Stop: $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: foodoor initscript
|
||||
# Description: Daemon to lock and unlock the foodoor
|
||||
### END INIT INFO
|
||||
|
||||
# Author: gammlaa <gammlaa@die-foobar.de>
|
||||
|
||||
# Do NOT "set -e"
|
||||
|
||||
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
||||
DESC="foodoor daemon"
|
||||
NAME=foodoord
|
||||
DAEMON=/usr/sbin/$NAME
|
||||
#DAEMON_ARGS="--options args"
|
||||
PIDFILE=/var/run/$NAME.pid
|
||||
SCRIPTNAME=/etc/init.d/$NAME
|
||||
|
||||
# Exit if the package is not installed
|
||||
[ -x "$DAEMON" ] || exit 0
|
||||
|
||||
# Read configuration variable file if it is present
|
||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||
|
||||
# Load the VERBOSE setting and other rcS variables
|
||||
. /lib/init/vars.sh
|
||||
|
||||
# Define LSB log_* functions.
|
||||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||
# and status_of_proc is working.
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||
|| return 1
|
||||
start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
|
||||
$DAEMON_ARGS \
|
||||
|| return 2
|
||||
# Add code here, if necessary, that waits for the process to be ready
|
||||
# to handle requests from services started subsequently which depend
|
||||
# on this one. As a last resort, sleep for some time.
|
||||
}
|
||||
|
||||
#
|
||||
# Function that stops the daemon/service
|
||||
#
|
||||
do_stop()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been stopped
|
||||
# 1 if daemon was already stopped
|
||||
# 2 if daemon could not be stopped
|
||||
# other if a failure occurred
|
||||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name python2
|
||||
RETVAL="$?"
|
||||
[ "$RETVAL" = 2 ] && return 2
|
||||
# Wait for children to finish too if this is a daemon that forks
|
||||
# and if the daemon is only ever run from this initscript.
|
||||
# If the above conditions are not satisfied then add some other code
|
||||
# that waits for the process to drop all resources that could be
|
||||
# needed by services started subsequently. A last resort is to
|
||||
# sleep for some time.
|
||||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON
|
||||
[ "$?" = 2 ] && return 2
|
||||
# Many daemons don't delete their pidfiles when they exit.
|
||||
rm -f $PIDFILE
|
||||
return "$RETVAL"
|
||||
}
|
||||
|
||||
#
|
||||
# Function that sends a SIGHUP to the daemon/service
|
||||
#
|
||||
do_reload() {
|
||||
#
|
||||
# If the daemon can reload its configuration without
|
||||
# restarting (for example, when it is sent a SIGHUP),
|
||||
# then implement that here.
|
||||
#
|
||||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||
do_start
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
stop)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
status)
|
||||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||
;;
|
||||
#reload|force-reload)
|
||||
#
|
||||
# If do_reload() is not implemented then leave this commented out
|
||||
# and leave 'force-reload' as an alias for 'restart'.
|
||||
#
|
||||
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||
#do_reload
|
||||
#log_end_msg $?
|
||||
#;;
|
||||
restart|force-reload)
|
||||
#
|
||||
# If the "reload" option is implemented then remove the
|
||||
# 'force-reload' alias
|
||||
#
|
||||
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1)
|
||||
do_start
|
||||
case "$?" in
|
||||
0) log_end_msg 0 ;;
|
||||
1) log_end_msg 1 ;; # Old process is still running
|
||||
*) log_end_msg 1 ;; # Failed to start
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
# Failed to stop
|
||||
log_end_msg 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
|
||||
:
|
Loading…
Reference in New Issue
Block a user