145 lines
6.0 KiB
Bash
145 lines
6.0 KiB
Bash
#!/bin/bash
|
|
# ansipa-smb-setup.sh — configure the Samba scan-results and LUKS-key shares on the IPA container.
|
|
#
|
|
# Runs on every container start via ansipa-smb.service so that smb.conf and
|
|
# Samba users are always in place after container restarts (ephemeral rootfs).
|
|
#
|
|
# Password sources (first match wins per variable):
|
|
# 1. Environment variable (first boot / explicit override)
|
|
# 2. /data/samba/ansipa-smb.env (persisted from first boot)
|
|
#
|
|
# Shares:
|
|
# ansipa-scans — write-only for 'scanupload'; clients push scan results here.
|
|
# ansipa-luks-keys — write-only for 'luks-upload' (Ansible controller);
|
|
# read for members of the 'KeyAdmin' Linux group.
|
|
# Add a Samba user to KeyAdmin to grant key-read access:
|
|
# useradd -r -G KeyAdmin <user>
|
|
# smbpasswd -a <user>
|
|
|
|
set -euo pipefail
|
|
|
|
LOG_TAG="ansipa-smb-setup"
|
|
SCAN_BASE="/data/scan-results"
|
|
LUKS_BASE="/data/luks-keys"
|
|
SMB_CONF="/etc/samba/smb.conf"
|
|
SMB_USER="scanupload"
|
|
LUKS_UPLOAD_USER="luks-upload"
|
|
KEYADMIN_GROUP="KeyAdmin"
|
|
ENV_FILE="/data/samba/ansipa-smb.env"
|
|
|
|
log() { echo "[$LOG_TAG] $*"; }
|
|
die() { echo "[$LOG_TAG][ERROR] $*" >&2; exit 1; }
|
|
|
|
# ── Resolve passwords ─────────────────────────────────────────────────────────
|
|
SMB_PASS="${SMB_SCAN_PASSWORD:-}"
|
|
LUKS_PASS="${LUKS_KEY_UPLOAD_PASSWORD:-}"
|
|
|
|
if [[ -f "$ENV_FILE" ]]; then
|
|
# shellcheck source=/dev/null
|
|
source "$ENV_FILE"
|
|
SMB_PASS="${SMB_SCAN_PASSWORD:-$SMB_PASS}"
|
|
LUKS_PASS="${LUKS_KEY_UPLOAD_PASSWORD:-$LUKS_PASS}"
|
|
fi
|
|
|
|
[[ -z "$SMB_PASS" ]] && die "SMB_SCAN_PASSWORD not set and $ENV_FILE not present. Set it in .env."
|
|
[[ -z "$LUKS_PASS" ]] && die "LUKS_KEY_UPLOAD_PASSWORD not set and $ENV_FILE not present. Set it in .env."
|
|
|
|
# ── Persist for subsequent restarts ──────────────────────────────────────────
|
|
mkdir -p "$(dirname "$ENV_FILE")"
|
|
{
|
|
printf 'SMB_SCAN_PASSWORD=%q\n' "$SMB_PASS"
|
|
printf 'LUKS_KEY_UPLOAD_PASSWORD=%q\n' "$LUKS_PASS"
|
|
} > "$ENV_FILE"
|
|
chmod 600 "$ENV_FILE"
|
|
|
|
# ── Directory structure (idempotent) ──────────────────────────────────────────
|
|
mkdir -p "$SCAN_BASE/archive" "$SCAN_BASE/alerts"
|
|
mkdir -p "$LUKS_BASE"
|
|
|
|
# ── KeyAdmin group ────────────────────────────────────────────────────────────
|
|
if ! getent group "$KEYADMIN_GROUP" &>/dev/null; then
|
|
groupadd -r "$KEYADMIN_GROUP"
|
|
log "Created group: $KEYADMIN_GROUP"
|
|
fi
|
|
|
|
# ── System users ──────────────────────────────────────────────────────────────
|
|
if ! id "$SMB_USER" &>/dev/null; then
|
|
useradd -r -s /sbin/nologin -d "$SCAN_BASE" -M "$SMB_USER"
|
|
log "Created system user: $SMB_USER"
|
|
fi
|
|
|
|
if ! id "$LUKS_UPLOAD_USER" &>/dev/null; then
|
|
useradd -r -s /sbin/nologin -d "$LUKS_BASE" -M -G "$KEYADMIN_GROUP" "$LUKS_UPLOAD_USER"
|
|
log "Created system user: $LUKS_UPLOAD_USER (member of $KEYADMIN_GROUP)"
|
|
else
|
|
# Ensure group membership is correct after container recreations
|
|
usermod -aG "$KEYADMIN_GROUP" "$LUKS_UPLOAD_USER"
|
|
fi
|
|
|
|
chown -R "$SMB_USER:$SMB_USER" "$SCAN_BASE"
|
|
chown -R "root:$KEYADMIN_GROUP" "$LUKS_BASE"
|
|
chmod 2750 "$LUKS_BASE" # setgid so new files inherit KeyAdmin group
|
|
|
|
# ── smb.conf ──────────────────────────────────────────────────────────────────
|
|
log "Writing $SMB_CONF"
|
|
cat > "$SMB_CONF" <<CONF
|
|
[global]
|
|
workgroup = WORKGROUP
|
|
server string = Ansipa Security Server
|
|
security = user
|
|
map to guest = never
|
|
# Store passdb on the persistent volume so passwords survive container restarts.
|
|
passdb backend = tdbsam:/data/samba/passdb.tdb
|
|
log file = /var/log/samba/log.%m
|
|
max log size = 50
|
|
# Disable printing subsystem entirely.
|
|
load printers = no
|
|
printing = bsd
|
|
printcap name = /dev/null
|
|
disable spoolss = yes
|
|
|
|
[ansipa-scans]
|
|
comment = Ansipa scan results — managed by ansipa-enforce-policies
|
|
path = $SCAN_BASE
|
|
valid users = $SMB_USER
|
|
read only = no
|
|
browseable = no
|
|
create mask = 0644
|
|
directory mask = 0755
|
|
force user = $SMB_USER
|
|
|
|
[ansipa-luks-keys]
|
|
comment = Ansipa LUKS backup keys — KeyAdmin read, luks-upload write only
|
|
path = $LUKS_BASE
|
|
valid users = @$KEYADMIN_GROUP
|
|
read only = yes
|
|
write list = $LUKS_UPLOAD_USER
|
|
browseable = no
|
|
create mask = 0640
|
|
directory mask = 0750
|
|
CONF
|
|
|
|
# ── Samba passwords (idempotent — smbpasswd -a adds or updates) ───────────────
|
|
_smb_set_pass() {
|
|
local user="$1" pass="$2"
|
|
log "Setting Samba password for $user"
|
|
printf '%s\n%s\n' "$pass" "$pass" | smbpasswd -a -s "$user" 2>/dev/null || \
|
|
printf '%s\n%s\n' "$pass" "$pass" | smbpasswd -s "$user" 2>/dev/null || \
|
|
log "WARN: smbpasswd returned non-zero for $user (may already be set correctly)"
|
|
}
|
|
|
|
_smb_set_pass "$SMB_USER" "$SMB_PASS"
|
|
_smb_set_pass "$LUKS_UPLOAD_USER" "$LUKS_PASS"
|
|
|
|
# ── Server-side scan checker cron (hourly, analysed on the IPA server itself) ─
|
|
# Always (re-)write: /etc/cron.d is on the ephemeral container layer and is
|
|
# lost on container recreation, so we must restore it on every start.
|
|
cat > /etc/cron.d/ansipa-check-scans <<'CRON'
|
|
# ansipa: analyze client scan logs and write alerts — managed, do not edit.
|
|
0 * * * * root /usr/local/sbin/ansipa-check-scans.sh 2>&1 | logger -t ansipa-check-scans
|
|
CRON
|
|
chmod 644 /etc/cron.d/ansipa-check-scans
|
|
log "Installed hourly scan-checker cron"
|
|
|
|
log "Samba setup complete. Share: //localhost/ansipa-scans user: $SMB_USER"
|