raijin-server 0.2.33__tar.gz → 0.2.34__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {raijin_server-0.2.33/src/raijin_server.egg-info → raijin_server-0.2.34}/PKG-INFO +1 -1
- {raijin_server-0.2.33 → raijin_server-0.2.34}/setup.cfg +1 -1
- raijin_server-0.2.34/src/raijin_server/__init__.py +5 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/ssh_hardening.py +42 -11
- {raijin_server-0.2.33 → raijin_server-0.2.34/src/raijin_server.egg-info}/PKG-INFO +1 -1
- raijin_server-0.2.33/src/raijin_server/__init__.py +0 -5
- {raijin_server-0.2.33 → raijin_server-0.2.34}/LICENSE +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/README.md +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/pyproject.toml +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/cli.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/config.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/healthchecks.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/module_manager.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/__init__.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/apokolips_demo.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/bootstrap.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/calico.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/cert_manager.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/essentials.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/firewall.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/full_install.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/grafana.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/hardening.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/harness.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/istio.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/kafka.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/kong.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/kubernetes.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/loki.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/metallb.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/minio.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/network.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/observability_dashboards.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/observability_ingress.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/prometheus.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/sanitize.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/secrets.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/traefik.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/velero.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/vpn.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/scripts/__init__.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/scripts/checklist.sh +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/scripts/install.sh +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/scripts/log_size_metric.sh +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/scripts/pre-deploy-check.sh +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/utils.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/validators.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/SOURCES.txt +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/dependency_links.txt +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/entry_points.txt +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/requires.txt +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/top_level.txt +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/tests/test_full_install_sequence.py +0 -0
- {raijin_server-0.2.33 → raijin_server-0.2.34}/tests/test_registry.py +0 -0
|
@@ -16,6 +16,19 @@ AUTHORIZED_KEYS_TEMPLATE = "# gerenciado pelo raijin-server\n{key}\n"
|
|
|
16
16
|
HARDCODED_PUBKEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOolYckNjqXbvVORhQUz0oqxm/xnaAiLzzZAAVd7+f1Q rafaelluisdacostacoelho@gmail.com"
|
|
17
17
|
|
|
18
18
|
|
|
19
|
+
def _current_non_root_user() -> str | None:
|
|
20
|
+
sudo_user = os.environ.get("SUDO_USER")
|
|
21
|
+
if sudo_user and sudo_user != "root":
|
|
22
|
+
return sudo_user
|
|
23
|
+
try:
|
|
24
|
+
import getpass
|
|
25
|
+
|
|
26
|
+
who = getpass.getuser()
|
|
27
|
+
return who if who != "root" else None
|
|
28
|
+
except Exception:
|
|
29
|
+
return None
|
|
30
|
+
|
|
31
|
+
|
|
19
32
|
def _user_exists(username: str) -> bool:
|
|
20
33
|
try:
|
|
21
34
|
pwd.getpwnam(username)
|
|
@@ -50,8 +63,17 @@ def _write_authorized_keys(username: str, content: str, ctx: ExecutionContext) -
|
|
|
50
63
|
run_cmd(["chown", "-R", f"{username}:{username}", str(ssh_dir)], ctx)
|
|
51
64
|
|
|
52
65
|
|
|
66
|
+
def _default_pubkey_path() -> Path:
|
|
67
|
+
user = _current_non_root_user()
|
|
68
|
+
if user:
|
|
69
|
+
candidate = Path(f"/home/{user}/.ssh/authorized_keys")
|
|
70
|
+
if candidate.exists():
|
|
71
|
+
return candidate
|
|
72
|
+
return Path.home() / ".ssh/authorized_keys"
|
|
73
|
+
|
|
74
|
+
|
|
53
75
|
def _load_public_key(path_input: str) -> str:
|
|
54
|
-
#
|
|
76
|
+
# Forca o uso da chave hardcoded solicitada
|
|
55
77
|
return HARDCODED_PUBKEY
|
|
56
78
|
|
|
57
79
|
|
|
@@ -62,25 +84,34 @@ def run(ctx: ExecutionContext) -> None:
|
|
|
62
84
|
typer.echo("Hardening de SSH em andamento...")
|
|
63
85
|
apt_install(["openssh-server", "fail2ban"], ctx)
|
|
64
86
|
|
|
65
|
-
username = typer.prompt("Usuario administrativo para SSH", default="
|
|
87
|
+
username = typer.prompt("Usuario administrativo para SSH", default="thor")
|
|
66
88
|
ssh_port = typer.prompt("Porta SSH", default="22")
|
|
67
89
|
sudo_access = typer.confirm("Adicionar usuario ao grupo sudo?", default=True)
|
|
68
|
-
|
|
69
|
-
|
|
90
|
+
current_user = _current_non_root_user()
|
|
91
|
+
default_extra = current_user if current_user and current_user != username else ""
|
|
92
|
+
extra_users_raw = typer.prompt(
|
|
93
|
+
"Usuarios adicionais (serao criados se nao existirem, separados por espaco)",
|
|
94
|
+
default=default_extra,
|
|
70
95
|
).strip()
|
|
71
96
|
pubkey_path = typer.prompt(
|
|
72
97
|
"Arquivo com chave publica ou authorized_keys existente",
|
|
73
|
-
default=str(
|
|
98
|
+
default=str(_default_pubkey_path()),
|
|
74
99
|
)
|
|
75
100
|
|
|
76
101
|
public_key = _load_public_key(pubkey_path)
|
|
77
|
-
allow_users = " ".join(part for part in [username, extra_users] if part).strip()
|
|
78
|
-
|
|
79
|
-
_ensure_user(username, ctx)
|
|
80
|
-
if sudo_access:
|
|
81
|
-
run_cmd(["usermod", "-aG", "sudo", username], ctx)
|
|
82
102
|
|
|
83
|
-
|
|
103
|
+
extra_users = [u for u in extra_users_raw.split() if u]
|
|
104
|
+
target_users: list[str] = []
|
|
105
|
+
for u in [username, *extra_users]:
|
|
106
|
+
if u not in target_users:
|
|
107
|
+
target_users.append(u)
|
|
108
|
+
allow_users = " ".join(target_users)
|
|
109
|
+
|
|
110
|
+
for user in target_users:
|
|
111
|
+
_ensure_user(user, ctx)
|
|
112
|
+
if user == username and sudo_access:
|
|
113
|
+
run_cmd(["usermod", "-aG", "sudo", user], ctx)
|
|
114
|
+
_write_authorized_keys(user, public_key, ctx)
|
|
84
115
|
|
|
85
116
|
config = f"""
|
|
86
117
|
# Arquivo gerenciado pelo raijin-server
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/observability_dashboards.py
RENAMED
|
File without changes
|
{raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server/modules/observability_ingress.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{raijin_server-0.2.33 → raijin_server-0.2.34}/src/raijin_server.egg-info/dependency_links.txt
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|