Nobreakspace
Ausstattung
Dienste
Chaotikum
Nobreakspace
Ausstattung
Dienste
Chaotikum
General:
Template:
Disks:
CPU:
Memory:
Network:
Also see: https://wiki.debian.org/LDAP/NSS#NSS_Setup_with_libnss-ldapd
$ apt-get update && apt-get dist-upgrade $ apt-get install libnss-ldapd borgbackup quota vim
nslcd config prompt (to /etc/nslcd.conf):
ldaps://ldap.chaotikum.net
libnss-ldapd config prompt (to /etc/nsswitch.conf):
Further configuration:
$ sed -i "s/#binddn.*$/binddn uid=proxmox,ou=services,dc=chaotikum,dc=org/" /etc/nslcd.conf $ sed -i "s/#bindpw.*$/bindpw <LDAP-BINDPW-HERE>/" /etc/nslcd.conf $ sed -i "s=#tls_cacertfile.*$=tls_cacertfile /etc/ssl/certs/ca-certificates.crt=" /etc/nslcd.conf [ ToDo: verify properly: ] $ echo "pam_authz_search memberOf=cn=freigeschaltet,ou=groups,dc=chaotikum,dc=org" >> /etc/nslcd.conf $ systemctl restart nslcd.service $ sed -i "s/#HOME_MODE.*/HOME_MODE\t0700/" /etc/login.defs $ pam-auth-update --enable mkhomedir $ groupadd --gid 2000 member [ Note/ToDo: this should instead, ideally come from LDAP? currently "getent group" with ldap for group /etc/nsswitch.conf would not show it though ]
$ cat /etc/ssh/sshd_config.d/borg-restrictions.conf Match Group member DisableForwarding yes PermitTTY no PermitUserRC no ForceCommand only borg ssh-add-authorized-keys
„only“ command adapted from:
https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/
$ cat /usr/local/bin/only #!/bin/sh cmds="$@" set -- $SSH_ORIGINAL_COMMAND for allowed in $cmds; do if [ "$allowed" = "$1" ]; then cmd="$(echo $@ | sed -nf ~/.onlyrules)" if [ -z "$cmd" ]; then break fi eval exec "$cmd" fi done echo you may only $cmds, denied: $@ >&2 exit 1 $ chmod +x /usr/local/bin/only
Also contains storage quota, 250G can be adjusted here in /etc/skel or in ~/.onlyrules later:
$ cat /etc/skel/.onlyrules \:^ssh-add-authorized-keys$:p /^borg serve.*\-\-storage-quota/ s/.*//; /^borg serve.*/ s/$/ --storage-quota 250G/p
$ cat /usr/local/bin/ssh-add-authorized-keys #!/bin/sh [ ! -d "$HOME/.ssh" ] && mkdir -m700 "$HOME/.ssh" umask 0077 cat > "$HOME/.ssh/authorized_keys" $ chmod +x /usr/local/bin/ssh-add-authorized-keys
https://wiki.debian.org/UnattendedUpgrades
$ apt-get install unattended-upgrades apt-listchanges
/etc/apt/apt.conf.d/50unattended-upgrades
-> Unattended-Upgrade::Automatic-Reboot "true"; -> Unattended-Upgrade::Automatic-Reboot-Time "03:42";