156 lines
5.4 KiB
RPMSpec
156 lines
5.4 KiB
RPMSpec
#
|
|
# spec file for package ec2-instance-connect
|
|
#
|
|
# Copyright (c) 2023 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
Name: ec2-instance-connect
|
|
Version: 1.1.17
|
|
Release: 0
|
|
Summary: EC2 instance scripting and configuration for EC2 Instance Connect
|
|
License: Apache-2.0
|
|
Source: https://github.com/aws/aws-ec2-instance-connect-config/archive/%{version}.tar.gz
|
|
Group: System/Daemons
|
|
URL: https://github.com/aws/aws-ec2-instance-connect-config
|
|
Requires: coreutils
|
|
Requires: curl
|
|
Requires: openssh >= 6.9.0
|
|
Requires: openssl
|
|
|
|
BuildArch: noarch
|
|
|
|
%description
|
|
SSH daemon configuration and necessary EC2 instance scripting to enable EC2 Instance Connect.
|
|
|
|
%prep
|
|
%setup -q -n aws-ec2-instance-connect-config-%{version}
|
|
|
|
%build
|
|
# No build required
|
|
|
|
%install
|
|
cd src/bin/
|
|
for i in * ; do
|
|
install -D -m 755 $i %{buildroot}%{_bindir}/$i
|
|
done
|
|
cd ../..
|
|
|
|
install -D -m 644 src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service %{buildroot}%{_unitdir}/ec2-instance-connect.service
|
|
install -D -m 644 src/ec2-instance-connect-harvest-hostkeys.preset %{buildroot}%{_presetdir}/95-ec2-instance-connect.preset
|
|
|
|
sed -i 's/\/opt\/aws/\/usr/g' %{buildroot}%{_unitdir}/ec2-instance-connect.service
|
|
|
|
mkdir -p %{buildroot}/usr/lib/systemd/hostkey.d
|
|
echo 'ec2-instance-connect.service' > %{buildroot}/usr/lib/systemd/hostkey.d/60-ec2-instance-connect.list
|
|
|
|
mkdir -p %{buildroot}%{_sbindir}
|
|
for srv_name in %{buildroot}%{_unitdir}/*.service; do rc_name=$(basename -s '.service' $srv_name); ln -s service %{buildroot}%{_sbindir}/rc$rc_name; done
|
|
|
|
%pre
|
|
%service_add_pre ec2-instance-connect.service
|
|
if ! [ -e /.buildenv ] ; then
|
|
getent passwd ec2-instance-connect || useradd -r -M -s /sbin/nologin ec2-instance-connect
|
|
usermod -L ec2-instance-connect
|
|
fi
|
|
|
|
%post
|
|
%service_add_post ec2-instance-connect.service
|
|
if ! [ -e /.buildenv ] ; then
|
|
systemctl start ec2-instance-connect.service
|
|
fi
|
|
|
|
modified=1
|
|
|
|
# Configure sshd to use EC2 Instance Connect's AuthorizedKeysCommand
|
|
EXEC_OVERRIDE='ExecStart=%{_sbindir}/sshd -D -o "AuthorizedKeysCommand %{_bindir}/eic_run_authorized_keys %%%u %%%f" -o "AuthorizedKeysCommandUser ec2-instance-connect"'
|
|
# If there is nothing in the AuthorizedKeysCommand field of sshd_config *and* nothing in any sshd override, add our config
|
|
if ! [ -e /.buildenv ] && ! /bin/grep -q '^[^#]*AuthorizedKeysCommand[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then
|
|
if ! /bin/grep -q '^[^#]*AuthorizedKeysCommandUser[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then
|
|
if ! /bin/grep -q '^[^#]*AuthorizedKeysCommandRunAs[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then
|
|
# If systemd unit contains AKC don't override it
|
|
if ! /bin/grep -q "AuthorizedKeysCommand" %{_unitdir}/sshd.service ; then
|
|
can_modify=1
|
|
if [ -d %{_unitdir}/sshd.service.d ] ; then
|
|
# If *any* override contains an ExecStart, don't override it
|
|
if ! /bin/grep -Rq "ExecStart" %{_unitdir}/sshd.service.d/ ; then
|
|
can_modify=0
|
|
fi
|
|
else
|
|
# Or there are no overrides
|
|
mkdir %{_unitdir}/sshd.service.d
|
|
can_modify=0
|
|
fi
|
|
if [ $can_modify -eq 0 ] ; then
|
|
# Add our configuration
|
|
echo -e "[Service]\nExecStart=\n${EXEC_OVERRIDE}" > %{_unitdir}/sshd.service.d/ec2-instance-connect.conf
|
|
modified=0
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if ! [ -e /.buildenv ] && [ $modified -eq 0 ] ; then
|
|
# Restart sshd
|
|
systemctl daemon-reload
|
|
if systemctl is-active --quiet sshd ; then
|
|
systemctl restart sshd
|
|
fi
|
|
fi
|
|
|
|
%preun
|
|
%service_del_preun ec2-instance-connect.service
|
|
|
|
if ! [ -e /.buildenv ] && [ $1 -eq 0 ] ; then
|
|
modified=1
|
|
|
|
# Remove EC2 Instance Connect sshd override if present
|
|
if [ -f %{_unitdir}/sshd.service.d/ec2-instance-connect.conf ] ; then
|
|
rm -f %{_unitdir}/sshd.service.d/ec2-instance-connect.conf
|
|
if [ -z "$(ls -A %{_unitdir}/sshd.service.d)" ] ; then
|
|
# There were no other overrides, clean up
|
|
rmdir %{_unitdir}/sshd.service.d
|
|
fi
|
|
modified=0
|
|
fi
|
|
|
|
# Restart sshd
|
|
if [ $modified -eq 0 ] ; then
|
|
systemctl daemon-reload
|
|
if systemctl is-active --quiet sshd ; then
|
|
systemctl restart sshd
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
%postun
|
|
%service_del_postun ec2-instance-connect.service
|
|
|
|
if ! [ -e /.buildenv ] && [ $1 -eq 0 ] ; then
|
|
userdel ec2-instance-connect
|
|
fi
|
|
|
|
%files
|
|
%{_bindir}/eic_run_authorized_keys
|
|
%{_bindir}/eic_curl_authorized_keys
|
|
%{_bindir}/eic_parse_authorized_keys
|
|
%{_bindir}/eic_harvest_hostkeys
|
|
%{_sbindir}/*
|
|
%{_unitdir}/ec2-instance-connect.service
|
|
%dir /usr/lib/systemd/hostkey.d
|
|
/usr/lib/systemd/hostkey.d/60-ec2-instance-connect.list
|
|
%{_presetdir}/95-ec2-instance-connect.preset
|
|
|
|
%changelog
|