From a7b16357c0999e0a863ee80abde6af5f34f3a16d Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@realraum.at>
Date: Wed, 16 May 2018 23:02:17 +0200
Subject: [PATCH] tuer: Add AuthorizedKeys script for tuerctl

---
 ansible/.gitignore                    |    2 +-
 ansible/files/tuer/authorized_keys.sh |   42 +++++++++++++++++++++++++++++++++
 ansible/tuer.yml                      |   10 ++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100755 ansible/files/tuer/authorized_keys.sh

diff --git a/ansible/.gitignore b/ansible/.gitignore
index d5e5f4b..f525999 100644
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -4,4 +4,4 @@
 *.retry
 .*.sw?
 /.cache/
-/files/
+/files/openwrt/
diff --git a/ansible/files/tuer/authorized_keys.sh b/ansible/files/tuer/authorized_keys.sh
new file mode 100755
index 0000000..359f9d6
--- /dev/null
+++ b/ansible/files/tuer/authorized_keys.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+# Copyright © 2018 nicoo <nicoo@realraum.at>
+# Distributed under the WTFPL v2
+#
+#         DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+#                     Version 2, December 2004
+#
+#  Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+#
+#  Everyone is permitted to copy and distribute verbatim or modified
+#  copies of this license document, and changing it is allowed as long
+#  as the name is changed.
+#
+#             DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+#    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+#
+#   0. You just DO WHAT THE FUCK YOU WANT TO.
+
+# This script processes the tuergit repository located at KEYS_DIR
+# and outputs authorized_keys data for sshd.
+# It is meant to be used as an AuthorizedKeysCommand
+
+set -e
+
+KEYS_DIR=${KEYS_DIR:-'/var/tuer/keys.git'}
+KEYS_OPTIONS='no-port-forwarding'
+
+cd "${KEYS_DIR}"
+if git config hooks.keys_branch 2>/dev/null; then
+    KEYS_BRANCH="$(git config hooks.keys_branch)"
+else
+    KEYS_BRANCH="master"
+fi
+
+git show "${KEYS_BRANCH}:ssh/" |
+    while read user; do
+        [ -n "$user" ] || continue
+        git show "${KEYS_BRANCH}:ssh/${user}" |
+            while read key; do
+                echo "command=\"${user}\",${KEYS_OPTIONS}" "${key}"
+            done
+    done
diff --git a/ansible/tuer.yml b/ansible/tuer.yml
index e061759..0d90890 100644
--- a/ansible/tuer.yml
+++ b/ansible/tuer.yml
@@ -78,6 +78,10 @@
             mode: 0755
             file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys"
 
+          /usr/local/bin/authorized_keys.sh:
+            mode: 0755
+            file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh"
+
           /etc/ssh/sshd_config:
             content: |-
               Port 22000
@@ -91,6 +95,12 @@
               X11Forwarding no
               UsePrivilegeSeparation sandbox
 
+              Match User tuerctl
+                AuthorizedKeysFile /dev/null
+                AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh
+                AuthorizedKeysCommandUser tuergit
+
+
           /etc/ssh/authorized_keys.d/root:
             content: |-
               {% for key in noc_ssh_keys %}
-- 
1.7.10.4