improved users/groups

15 files changed, 56 insertions, 37 deletions

diff --git a/.dockerignore b/.dockerignore
index c4c723c2..d2d289e0 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,6 +4,7 @@
 /build/
 /dist/
 /kvmd.egg-info/
+/testenv/run/
 /testenv/.tox/
 /testenv/.mypy_cache/
 /.git/
diff --git a/Makefile b/Makefile
index 88ee9059..a35118ac 100644
--- a/Makefile
+++ b/Makefile
@@ -50,7 +50,7 @@ tox: testenv
 run: testenv
 	sudo modprobe loop
 	- docker run --rm --name kvmd \
-			--volume `pwd`/testenv/run:/run:rw \
+			--volume `pwd`/testenv/run:/run/kvmd:rw \
 			--volume `pwd`/testenv:/testenv:ro \
 			--volume `pwd`/kvmd:/kvmd:ro \
 			--volume `pwd`/web:/usr/share/kvmd/web:ro \
@@ -65,7 +65,7 @@ run: testenv
 			&& cp /usr/share/kvmd/configs.default/kvmd/*.yaml /etc/kvmd \
 			&& cp /usr/share/kvmd/configs.default/kvmd/*passwd /etc/kvmd \
 			&& cp /testenv/main.yaml /etc/kvmd \
-			&& nginx -c /etc/kvmd/nginx/nginx.conf \
+			&& nginx -c /etc/kvmd/nginx/nginx.conf -g 'user http; error_log stderr;' \
 			&& ln -s $(TESTENV_VIDEO) /dev/kvmd-video \
 			&& (losetup -d /dev/kvmd-msd || true) \
 			&& losetup /dev/kvmd-msd /root/loop.img \
@@ -76,7 +76,7 @@ run: testenv
 
 run-ipmi: testenv
 	- docker run --rm --name kvmd-ipmi \
-			--volume `pwd`/testenv/run:/run:rw \
+			--volume `pwd`/testenv/run:/run/kvmd:rw \
 			--volume `pwd`/testenv:/testenv:ro \
 			--volume `pwd`/kvmd:/kvmd:ro \
 			--volume `pwd`/configs:/usr/share/kvmd/configs.default:ro \
diff --git a/PKGBUILD b/PKGBUILD
index 3b78b0c5..fdbe627d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -65,6 +65,7 @@ package_kvmd() {
 
 	mkdir -p "$pkgdir/usr/lib/systemd/system"
 	cp configs/os/systemd/*.service "$pkgdir/usr/lib/systemd/system"
+	cp configs/os/tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/kvmd.conf"
 
 	mkdir -p "$pkgdir/usr/share/kvmd"
 	cp -r web "$pkgdir/usr/share/kvmd"
@@ -78,7 +79,7 @@ package_kvmd() {
 	find "$pkgdir" -name ".gitignore" -delete
 	sed -i -e "s/^#PROD//g" "$_cfgdir/nginx/nginx.conf"
 	find "$_cfgdir" -type f -exec chmod 444 '{}' \;
-	chmod 440 "$_cfgdir/kvmd"/*passwd
+	chmod 400 "$_cfgdir/kvmd"/*passwd
 
 	mkdir -p "$pkgdir/etc/kvmd/nginx/ssl"
 	chmod 750 "$pkgdir/etc/kvmd/nginx/ssl"
@@ -87,7 +88,8 @@ package_kvmd() {
 	done
 	rm "$pkgdir/etc/kvmd"/{auth.yaml,meta.yaml}
 	cp "$_cfgdir/kvmd"/{auth.yaml,meta.yaml} "$pkgdir/etc/kvmd"
-	cp -a "$_cfgdir/kvmd/"*passwd "$pkgdir/etc/kvmd"
+	cp "$_cfgdir/kvmd/"*passwd "$pkgdir/etc/kvmd"
+	chmod 600 "$_cfgdir/kvmd/"*passwd
 	for path in "$_cfgdir/nginx"/*.conf; do
 		ln -sf "/usr/share/kvmd/configs.default/nginx/`basename $path`" "$pkgdir/etc/kvmd/nginx"
 	done
diff --git a/configs/kvmd/main/v1-hdmi.yaml b/configs/kvmd/main/v1-hdmi.yaml
index 64dfbffb..f3403eca 100644
--- a/configs/kvmd/main/v1-hdmi.yaml
+++ b/configs/kvmd/main/v1-hdmi.yaml
@@ -5,7 +5,7 @@ logging: !include logging.yaml
 
 kvmd:
     server:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
         unix_rm: true
         unix_mode: 0660
 
@@ -27,7 +27,7 @@ kvmd:
         device: /dev/kvmd-msd
 
     streamer:
-        unix: /run/ustreamer.sock
+        unix: /run/kvmd/ustreamer.sock
         cmd:
             - "/usr/bin/ustreamer"
             - "--device=/dev/kvmd-video"
@@ -45,4 +45,4 @@ kvmd:
 
 ipmi:
     kvmd:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
diff --git a/configs/kvmd/main/v1-vga.yaml b/configs/kvmd/main/v1-vga.yaml
index 0ace92e0..80e82bb9 100644
--- a/configs/kvmd/main/v1-vga.yaml
+++ b/configs/kvmd/main/v1-vga.yaml
@@ -5,7 +5,7 @@ logging: !include logging.yaml
 
 kvmd:
     server:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
         unix_rm: true
         unix_mode: 0660
 
@@ -30,7 +30,7 @@ kvmd:
         cap_pin: 17
         conv_pin: 18
         init_restart_after: 1
-        unix: /run/ustreamer.sock
+        unix: /run/kvmd/ustreamer.sock
         cmd:
             - "/usr/bin/ustreamer"
             - "--device=/dev/kvmd-video"
@@ -49,4 +49,4 @@ kvmd:
 
 ipmi:
     kvmd:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf
index 7246f1e3..9984d686 100644
--- a/configs/nginx/nginx.conf
+++ b/configs/nginx/nginx.conf
@@ -1,4 +1,3 @@
-user kvmd-nginx;
 worker_processes 4;
 
 # error_log /tmp/kvmd-nginx.error.log;
@@ -35,11 +34,11 @@ http {
 	uwsgi_temp_path			/tmp/kvmd-nginx.uwsgi_temp;
 
 	upstream kvmd {
-		server unix:/run/kvmd.sock fail_timeout=0s max_fails=0;
+		server unix:/run/kvmd/kvmd.sock fail_timeout=0s max_fails=0;
 	}
 
 	upstream ustreamer {
-		server unix:/run/ustreamer.sock fail_timeout=0s max_fails=0;
+		server unix:/run/kvmd/ustreamer.sock fail_timeout=0s max_fails=0;
 	}
 
 	include /usr/share/kvmd/extras/*/nginx.ctx-http.conf;
diff --git a/configs/os/systemd/kvmd-ipmi.service b/configs/os/systemd/kvmd-ipmi.service
index ee28f923..bdbbdfc8 100644
--- a/configs/os/systemd/kvmd-ipmi.service
+++ b/configs/os/systemd/kvmd-ipmi.service
@@ -1,10 +1,10 @@
 [Unit]
-Description=IPMI to KVMD proxy
+Description=Pi-KVM - IPMI to KVMD proxy
 After=kvmd.service
 
 [Service]
-User=kvmd
-Group=kvmd
+User=kvmd-ipmi
+Group=kvmd-ipmi
 Type=simple
 Restart=always
 RestartSec=3
diff --git a/configs/os/systemd/kvmd-nginx.service b/configs/os/systemd/kvmd-nginx.service
index 6b318598..6da9fc1d 100644
--- a/configs/os/systemd/kvmd-nginx.service
+++ b/configs/os/systemd/kvmd-nginx.service
@@ -1,14 +1,14 @@
 [Unit]
-Description=Nginx instance for KVMD
+Description=Pi-KVM - HTTP entrypoint
 After=network.target network-online.target nss-lookup.target kvmd.service
 
 [Service]
 Type=forking
-PIDFile=/run/kvmd-nginx.pid
+PIDFile=/run/kvmd/nginx.pid
 PrivateDevices=yes
 SyslogLevel=err
 
-ExecStart=/usr/bin/nginx -p /etc/kvmd/nginx -c /etc/kvmd/nginx/nginx.conf -g 'pid /run/kvmd-nginx.pid; error_log stderr;'
+ExecStart=/usr/bin/nginx -p /etc/kvmd/nginx -c /etc/kvmd/nginx/nginx.conf -g 'pid /run/kvmd/nginx.pid; user kvmd-nginx; error_log stderr;'
 ExecReload=/usr/bin/nginx -s reload -p /etc/kvmd/nginx -c /etc/kvmd/nginx/nginx.conf
 KillSignal=SIGQUIT
 KillMode=mixed
diff --git a/configs/os/systemd/kvmd-tc358743.service b/configs/os/systemd/kvmd-tc358743.service
index 44d26d1a..cb11d391 100644
--- a/configs/os/systemd/kvmd-tc358743.service
+++ b/configs/os/systemd/kvmd-tc358743.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Loads EDID data to TC358743
+Description=Pi-KVM - EDID loader for TC358743
 After=systemd-modules-load.service
 Before=kvmd.service
 
diff --git a/configs/os/systemd/kvmd.service b/configs/os/systemd/kvmd.service
index eaab01aa..d161b95e 100644
--- a/configs/os/systemd/kvmd.service
+++ b/configs/os/systemd/kvmd.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=The main Pi-KVM daemon
+Description=Pi-KVM - The main daemon
 After=network.target network-online.target nss-lookup.target
 
 [Service]
diff --git a/configs/os/tmpfiles.conf b/configs/os/tmpfiles.conf
new file mode 100644
index 00000000..8e1734d2
--- /dev/null
+++ b/configs/os/tmpfiles.conf
@@ -0,0 +1 @@
+D /run/kvmd 0775 kvmd kvmd -
diff --git a/kvmd.install b/kvmd.install
index 3e504d48..42e9645d 100644
--- a/kvmd.install
+++ b/kvmd.install
@@ -8,19 +8,36 @@ post_install() {
 post_upgrade() {
 	echo "==> Configuring KVMD users and groups ..."
 
-	id kvmd &>/dev/null || useradd -r -c "The main Pi-KVM daemon" -s /sbin/nologin kvmd
-	for group in gpio uucp systemd-journal; do
-		(groupmems -l -g "$group" | grep kvmd >/dev/null) || groupmems -g "$group" -a kvmd
-	done
+	_create_user kvmd "Pi-KVM - The main daemon"
+	_add_user_to_group kvmd gpio
+	_add_user_to_group kvmd uucp
+	_add_user_to_group kvmd systemd-journal
 
-	id kvmd-nginx &>/dev/null || useradd -r -c "Pi-KVM Nginx Server" -s /sbin/nologin kvmd-nginx
-	(groupmems -l -g kvmd | grep kvmd-nginx >/dev/null) || groupmems -g kvmd -a kvmd-nginx
+	_create_user kvmd-ipmi "Pi-KVM - IPMI to KVMD proxy"
+	_add_user_to_group kvmd-ipmi kvmd
 
-	chown root:kvmd \
-		/usr/share/kvmd/configs.default/kvmd/*passwd \
-		/etc/kvmd/*passwd
+	_create_user kvmd-nginx "Pi-KVM - HTTP entrypoint"
+	_add_user_to_group kvmd-nginx kvmd
+
+	chown kvmd:kvmd /etc/kvmd/htpasswd
+	chown kvmd-ipmi:kvmd-ipmi /etc/kvmd/ipmipasswd
+	chmod 600 /etc/kvmd/*passwd
 }
 
 post_remove() {
-	userdel kvmd &>/dev/null
+	_delete_user kvmd-nginx
+	_delete_user kvmd-ipmi
+	_delete_user kvmd
+}
+
+_create_user() {
+	id "$1" &>/dev/null || useradd -r -c "$2" -s /sbin/nologin "$1"
+}
+
+_delete_user() {
+	userdel "$1" &>/dev/null
+}
+
+_add_user_to_group() {
+	(groupmems -l -g "$2" | grep "$1" >/dev/null) || groupmems -g "$2" -a "$1"
 }
diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert
index 5def7926..43e89e08 100755
--- a/scripts/kvmd-gencert
+++ b/scripts/kvmd-gencert
@@ -34,8 +34,8 @@ cd /etc/kvmd/nginx/ssl
 
 openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 3650 \
 	-subj "/C=RU/ST=Moscow/L=Moscow/O=Pi-KVM/OU=Pi-KVM/CN=localhost"
-chown -R root:http /etc/kvmd/nginx/ssl
 
+chown -R root:kvmd-nginx /etc/kvmd/nginx/ssl
 chmod 400 server.key
 chmod 444 server.crt
 chmod 750 /etc/kvmd/nginx/ssl
diff --git a/testenv/Dockerfile b/testenv/Dockerfile
index 99dd8992..41bdf976 100644
--- a/testenv/Dockerfile
+++ b/testenv/Dockerfile
@@ -37,7 +37,6 @@ RUN pkg-install \
 COPY testenv/requirements.txt requirements.txt
 RUN pip install -r requirements.txt
 
-RUN useradd -r -c "Pi-KVM Nginx Server" -s /sbin/nologin kvmd-nginx
 RUN mkdir -p /etc/kvmd/nginx
 
 CMD /bin/bash
diff --git a/testenv/main.yaml b/testenv/main.yaml
index 5647d62e..d562ce45 100644
--- a/testenv/main.yaml
+++ b/testenv/main.yaml
@@ -1,6 +1,6 @@
 kvmd:
     server:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
         unix_rm: true
         unix_mode: 0666
 
@@ -26,7 +26,7 @@ kvmd:
         cap_pin: 17
         conv_pin: 18
         init_restart_after: 1
-        unix: /run/ustreamer.sock
+        unix: /run/kvmd/ustreamer.sock
         cmd:
             - "/usr/bin/ustreamer"
             - "--device=/dev/kvmd-video"
@@ -40,6 +40,6 @@ kvmd:
 
 ipmi:
     kvmd:
-        unix: /run/kvmd.sock
+        unix: /run/kvmd/kvmd.sock
 
 logging: !include logging.yaml