Signstar configure build

A commandline tool to configure a Signstar system during build.

The scope of this project is to read a dedicated configuration file, derive system users and their integration from it and create them.

The signstar-configure-build executable must be run as root.

Documentation

• https://signstar.archlinux.page/rustdoc/signstar_configure_build/ for development version of the crate
• https://docs.rs/signstar_configure_build/latest/signstar_configure_build/ for released versions of the crate

Configuration file

By default signstar-configure-build relies on the configuration file /usr/share/signstar/config.toml and will fail if it is not found or not valid.

One of the following configuration files in the following order are used instead, if they exist:

• /usr/local/share/signstar/config.toml
• /run/signstar/config.toml
• /etc/signstar/config.toml

Alternatively, signstar-configure-build can be provided with a custom configuration file location using the --config/ -c option.

System users

Based on configured user mappings in the configuration file, signstar-configure-build:

• creates unlocked system users
  • without passphrase
  • with a home directory below /var/lib/signstar/home/ (but without creating it)
• adds tmpfiles.d integration for each user, so that their home directory is created automatically
• adds a dedicated authorized_keys file and sshd_config drop-in configuration, which defines a ForceCommand option to enforce specific commands for each configured user with SSH access

Examples

Assuming a valid configuration file (such as example.toml) in one of the default locations, the executable is called without any options:

signstar-configure-build

Contributing

Please refer to the contributing guidelines to learn how to contribute to this project.

License

This project may be used under the terms of the Apache-2.0 or MIT license.

Changes to this project - unless stated otherwise - automatically fall under the terms of both of the aforementioned licenses.