ansible: Add restricted rsync endpoint

ansible/hosts

@@ -9,3 +9,4 @@ motis:
       ansible_host: vm-motis.spline.de
       transitous_nginx_site_include_extra: /etc/ssl/routing.spline.inf.fu-berlin.de/include.nginx
       transitous_domain: routing.spline.de
+      transitous_rsync_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4Pxul2Bci8Vjowx4Q75wQaAXvvWvw1HsCzxBRgi/tI jbb@hyperion"

ansible/motis.yml

@@ -5,13 +5,7 @@
 - name: Set up MOTIS servers
   hosts: motis
   roles:
+    - rsync
     - motis
     - motis-proxy
     - nginx
-  tasks:
-    - name: Install rsync
-      apt:
-        name:
-          - rsync
-          - htop
-          - zstd

ansible/roles/rsync/files/rsync-ssh.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=SSH Server for RSync push
+After=network.target
+
+[Service]
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -f /var/lib/rsync-ssh/sshd_config
+ExecReload=/usr/sbin/sshd -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=rsync-sshd
+RuntimeDirectoryMode=0755
+
+# Sandboxing
+RestrictSUIDSGID=true
+RestrictRealtime=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+NoNewPrivileges=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/rsync/files/sshd_config

@@ -0,0 +1,118 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 222
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Disable .ssh/authorized_keys2
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+X11UseLocalhost no
+PermitTTY no
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+PermitUserEnvironment yes
+PermitUserRC no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+Match Address 127.0.0.1
+    AuthorizedKeysCommand /etc/ssh/local-login/key-command
+    AuthorizedKeysCommandUser nobody

ansible/roles/rsync/tasks/main.yml

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2024 Jonah Brüchert <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+- name: Install rsync
+  apt:
+    name:
+      - rsync
+      - bubblewrap
+      - dash
+      - openssh-server
+
+- name: Create user for rsync upload
+  user:
+    name: rsync
+    shell: /usr/bin/dash
+    create_home: true
+    home: /var/lib/rsync-ssh
+
+- name: Copy custom sshd_config
+  copy:
+    src: sshd_config
+    dest: /var/lib/rsync-ssh/sshd_config
+
+- name: Install rsync-ssh.service
+  copy:
+    src: rsync-ssh.service
+    dest: /etc/systemd/system/
+
+- name: Create rsync target directory
+  file:
+    path: /srv/rsync/transitous/
+    state: directory
+    owner: rsync
+
+- name: Add restricted authorized key for rsync
+  authorized_key:
+    user: rsync
+    state: present
+    key: 'command="bwrap --new-session --die-with-parent --cap-drop ALL --unshare-all --ro-bind /usr/lib/ /usr/lib/ --ro-bind /usr/bin/env /usr/bin/env --ro-bind /usr/bin/python3 /usr/bin/python3 --ro-bind /usr/bin/rrsync /usr/bin/rrsync --ro-bind /usr/bin/rsync /usr/bin/rsync --ro-bind /lib/ /lib/ --ro-bind /lib64/ /lib64 --bind /srv/rsync/transitous/ /srv/rsync/transitous/ -- /usr/bin/rrsync -wo /srv/rsync/transitous/",restrict {{ transitous_rsync_public_key }}'
+
+- name: Enable rsync-ssh.service
+  systemd:
+    name: rsync-ssh
+    enabled: true
+    masked: false
+    state: running