Crate signstar_configure_build

Expand description

§Signstar configure build

A commandline tool to configure a Signstar system during build.

The scope of this project is to read a dedicated configuration file, derive system users and their integration from it and create them.

The signstar-configure-build executable must be run as root.

§Documentation

https://signstar.archlinux.page/rustdoc/signstar_configure_build/ for development version of the crate
https://docs.rs/signstar_configure_build/latest/signstar_configure_build/ for released versions of the crate

§Configuration file

By default signstar-configure-build relies on the configuration file /usr/share/signstar/config.yaml and will fail if it is not found or not valid.

One of the following configuration files in increasing priority are used instead, if they exist:

/run/signstar/config.yaml
/etc/signstar/config.yaml

Alternatively, signstar-configure-build can be provided with a custom configuration file location using the --config/ -c option.

§System users

Based on configured user mappings in the configuration file, signstar-configure-build:

creates unlocked system users
- without passphrase
- with a home directory below /var/lib/signstar/home/ (but without creating it)
adds tmpfiles.d integration for each user, so that their home directory is created automatically
adds a dedicated authorized_keys file and sshd_config drop-in configuration, which defines a ForceCommand option to enforce specific commands for each configured user with SSH access

§Examples

Assuming a valid configuration file in one of the understood configuration file locations, the executable is called without any options:

signstar-configure-build

§Features

_yubihsm2-mockhsm: Test environment using a virtual YubiHSM2 (currently this feature merely implies the yubihsm2 feature). NOTE: Unless you are developing this crate, you will very likely not want to use this feature. WARNING: This feature requires building in debug mode (see signstar#288)!
yubihsm2: For YubiHSM2 support.

§Contributing

Please refer to the contributing guidelines to learn how to contribute to this project.

§License

This project may be used under the terms of the Apache-2.0 or MIT license.

Changes to this project - unless stated otherwise - automatically fall under the terms of both of the aforementioned licenses.

Modules§

cli: Command line interface handling for the “signstar-configure-build” executable.
impl_any 🔒: Specific implementations for when any of the HSM backends are compiled in.

Structs§

ConfigPath: The configuration file path for the application.

Enums§

Error: The error that may occur when using the “signstar-configure-build” executable.
SshForceCommand: A command enforced for a user connecting over SSH.

Functions§

add_ssh_integration 🔒: Adds the SSH integration for a specific Unix user.
add_tmpfilesd_integration 🔒: Adds tmpfiles.d integration for a user.
add_user_and_home 🔒: Adds a specific Unix user and its home, if it does not exist yet.
create_system_users: Creates system users and their integration.
ensure_root: Checks whether the current process is run by root.