[dev] nixos; riot multiple targets; install without ssh keys (#42)

* auth: add .eid/authorized_certificates for pam pkcs11 auth

* .zshrc: alias sl for sudo zsh -l

* to-install: nix

* zshrc: use gnu ls on mac

* zshrc: try to use gnu-ls

* try to fix ci for macos

* riot: add domain box[0-9]

* riot: shortcuts i,x,j

* .zshrc: warn if not in main channel

* sagt: reset agent so paths

* sagt: import ssh-agent -P paths

* common.sh: is_port_free and get_free_port

* riot use get_free_port to fix issue on windows

* riot: ssh support instant command

* riot: proxy delimiter from comma (,) to slash (/)

* riot: support multiple remotes, delimiter=comma (,)

* riot: fix ci; install.sh: --no-ssh

* riot: improve ci

---------

Co-authored-by: xiongdian.me <xiongdian.me@bytedance.com>

.eid/authorized_certificates

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFIDCCAwigAwIBAgIUK1zXH5UosBim7i+kIZyPGpowU9cwDQYJKoZIhvcNAQEL
+BQAwgZUxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCRUlKSU5HMRAwDgYDVQQHDAdC
+RUlKSU5HMRIwEAYDVQQKDAlEaWN0IFRlY2gxEDAOBgNVBAsMB1Jvb3QgQ0ExHjAc
+BgNVBAMMFURpY3QgVGVjaCBSb290IENBIC0gMDEcMBoGCSqGSIb3DQEJARYNbWVA
+YmVhcmRpYy5jbjAeFw0yMjA3MjIxNzU5MjNaFw0yNTA3MjExNzU5MjNaMEkxEjAQ
+BgNVBAoMCURpY3QgVGVjaDEQMA4GA1UECAwHQkVJSklORzELMAkGA1UEBhMCQ04x
+FDASBgNVBAMMC3NrMC5pYmQuaW5rMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAlDeyFxeJ5RXFX4B3rIIpNyyAIl5VTGCT5t8g9dxFWq0MeY6nQYJPA8IJ
+IH+KzzujBabyKYpzshDvMzkuhx0Kwi2VL+ckxWg5FLge3kNBJqYnBm5pPWx6o9R5
+DmcWqG5KRH0FJhSmL5KeBHsVcOurDtKn174x2eB+sggCSyuWlJyn4KxPLTg8z/Nr
+FP5qSY1vj6t7mpzau+eIGh8IcQiFxteN/86fKswQHint/MVaqg6vX05BuIb8xb5E
+XUvPIupdc/vtD959BxnTo7UoOz+3zu/u2cj2K9IDubwe9tDpv88aj6xnfXInFouD
+/mlSmvtLo1h/6arn1hurgoylh5wbOwIDAQABo4GyMIGvMAkGA1UdEwQCMAAwCwYD
+VR0PBAQDAgTwMB0GA1UdDgQWBBR9DxLqtR0+zUWoPyFoDRrnyJyDBTAfBgNVHSME
+GDAWgBRsprmVI/Tjey+sw4qoZpLd7PT0gTBVBgNVHSUETjBMBggrBgEFBQcDAgYI
+KwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYKKwYBBAGCN0MBAQYKKwYBBAGC
+N0MBAgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCAgEA7BJXiRg32shmZWyY
+gPjq52ffN9RDNe58KadajJ1PnVP1yNJySgsOG3eSxONQX3ITr36Ihsfb3fZneBfX
+/IcXgjyvy1CDcvBBAyee91hdR8orMCePqMpeOSNP9CUp9Ctd4V+an0DE8Z1yrezA
+ieaYgBZCDxuZdloYSmj9Z/Rqn2dy4dcUAxKrEwW/6VPqQNrJETTtadS1SF0EsDxV
+XZpDqNYaS/N7/ciSm7TaQJud62A4m+FWWHNnttTp9IjLESr3U80+qtRY8yDNpulb
+/eNL8KK9aORiFUz9789l6M62HPi6vCsMflI0iHUeoi69GKX8mKf0WFR1KxoDsJiN
+DG9/1gCfj6whFCrT6fJTKAGl8Hp5toWMOeDprbsE5gf4Ik3p+sKMV9t43zNm3gvA
+1zNPtgQUffPU0kONlavIxUNfCmD8qVwK5ECT7wh0hrB8fRYfxTZHgN6Yvu7M9HNz
+SNt5JZCLBT4nLt0uQp9O/xctdHElZw+/W8OfnP5vxnPdccIeVOxpGIyzErwjD0+E
+9mNiqOa5JV9OMAJ+0I9cbOnuMaXm4mvHZadnetUzq2ZUw1Jba7z62zIJTciNRq9i
+ZJc6v5e+iqbE1ECZLco5LjWqqfvFfYCrkqeOhCRsRkVPsXnGPo2QDDYdTm4EGCmg
+dVZ6R452SZsrE4V+3LR011BxzEg=
+-----END CERTIFICATE-----

.zshrc2

@@ -101,16 +101,15 @@ fi
 # alias
 alias "pls"='sudo $(fc -ln -1)'
 alias "se"='sudo -sE'
+alias "sl"='sudo zsh -l'
 alias "pbd"='ping baidu.com'
 alias "p114"='ping 114.114.114.114'
 alias "p666"='ping6 2001:da8::666'
 alias "cbd"='curl http://www.baidu.com'
 alias "cbds"='curl https://www.baidu.com'
 alias "gdebug"='git add -A; git commit --allow-empty -m "bug fix ($(date))"'
-case $(bash "$DOTFILES/tools/common.sh" get_os_type) in
-    macos  ) alias l='ls -lAGh -D "%y-%m-%d %H:%M"' ;;
-    *      ) alias l='ls -lAGh --time-style="+%y-%m-%d %H:%M"' ;;
-esac
+alias "ls"='ls --color=tty'
+alias "l"='ls -lAGh --time-style="+%y-%m-%d %H:%M"'
 if [[ -x $(command -v trash) ]]; then
     alias "rm"="echo use the full path i.e. '/bin/rm'\; consider using trash"
 fi
@@ -177,6 +176,11 @@ dfs()
     esac
 }
 
+# motd
+if [[ "$DFS_INITED" != "1" && -n "$DFS_UPDATE_CHANNEL" && "$DFS_UPDATE_CHANNEL" != "main" ]]; then
+    echo dotfiles not in the main channel. use with caution.
+fi
+
 # clean
 unset i
 export DFS_INITED=1

install.sh

@@ -26,6 +26,8 @@ declare -a HOME_SYMLINKS_SRC
 declare -a HOME_SYMLINKS_DST
 HOME_SYMLINKS_SRC[0]=".ssh/authorized_keys2"
 HOME_SYMLINKS_DST[0]=".ssh/authorized_keys2"
+HOME_SYMLINKS_SRC[1]=".eid/authorized_certificates"
+HOME_SYMLINKS_DST[1]=".eid/authorized_certificates"
 
 install_dependencies()
 {
@@ -147,6 +149,9 @@ install_symlink()
 {
     fmt_note "installing symlinks ..."
     for ((i=0; i<${#HOME_SYMLINKS_SRC[@]}; i++)); do
+        if [[ -z "${HOME_SYMLINKS_SRC[$i]}" ]]; then
+            continue
+        fi
         local src="$DOTFILES/${HOME_SYMLINKS_SRC[$i]}"
         local dst="$HOME/${HOME_SYMLINKS_DST[$i]}"
         fmt_info "creating symlink \"$dst\" --> \"$src\" ..."
@@ -325,6 +330,7 @@ for i in ${GOT_OPTS[@]}; do
         -a|--auto ) INSTALL_DEP=1 ;;
         -H|--hist|--history ) store_hist=1 ;;
         -x ) store_config=1 ;;
+        --no-ssh ) unset HOME_SYMLINKS_SRC[0]; unset HOME_SYMLINKS_DST[0] ;;
         * ) fmt_fatal "unknown option \"$i\"" ;;
     esac
 done

scripts/riot

@@ -29,6 +29,14 @@ get_server_meta() {
     RET_JUMP_SERVER=""  # optional
     # body
     local remote="$1"
+    # shortcuts
+    if [[ "$remote" == "i" ]]; then
+        remote="sir0.ibd"
+    elif [[ "$remote" == "x" ]]; then
+        remote="bj1.ibd"
+    elif [[ "$remote" == "j" ]]; then
+        remote="sir0.ibd:36122"
+    fi
     # if in the form user@...
     if [[ "$remote" == *@* ]]; then
         RET_USERNAME=${remote%%@*}
@@ -70,30 +78,38 @@ get_server_meta() {
             RET_USERNAME=root
             RET_TRUST_SERVER=1
             ;;
+        box[0-9] )
+            RET_HOSTNAME=$host
+            RET_PORT=${RET_PORT:-12022}
+            RET_USERNAME=${RET_USERNAME:-root}
+            RET_JUMP_SERVER="root@$domain.ibd.ink:12022"
+            RET_TRUST_SERVER=1
+            ;;
         * )
             test -z "$domain" || fmt_warning "unknown domain: \"$domain\". will try as host name"
             RET_HOSTNAME="$remote"
     esac
 }
 
-# remote setting, including jump servers
-# will be called only once
-# provides:
-SERVER=""
-TRUST_SERVER=1
-PORT=""  # optional
-USERNAME=""  # optional
-SSH_OPTIONS=""  # optional
-if [[ "$RIOT_TRUST_CLIENT" == "1" ]]; then
-    SSH_OPTIONS='-o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes'
-fi
 parse_remote() {
+    # remote setting, including jump servers
+    # called for every remote
+    # provides:
+    SERVER=""
+    TRUST_SERVER=1
+    PORT=""  # optional
+    USERNAME=""  # optional
+    SSH_OPTIONS=""  # optional
+    if [[ "$RIOT_TRUST_CLIENT" == "1" ]]; then
+        SSH_OPTIONS='-o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes'
+    fi
+    # handle input
     local remote="$1"
     local jump_servers=""
     # loop for jump servers
     while [[ -n $remote ]]; do
-        local server=${remote%%,*}
-        remote=${remote#*,}
+        local server=${remote%%/*}
+        remote=${remote#*/}
         get_server_meta "$server"
         if [[ -n "$RET_JUMP_SERVER" ]]; then
             jump_servers="$jump_servers${jump_servers:+,}$RET_JUMP_SERVER"
@@ -134,13 +150,13 @@ prepare_ssh_cmd() {
     else
         local port_param='-p'
     fi
-    echo "$ssh_bin ${PORT:+$port_param} $PORT $SSH_OPTIONS $SCP_SRC $USERNAME${USERNAME:+@}$SERVER $SCP_DST"
+    echo "$ssh_bin ${PORT:+$port_param} $PORT $SSH_OPTIONS $SCP_SRC $USERNAME${USERNAME:+@}$SERVER $SCP_DST ${@:2}"
 }
 
 # ssh
 run_ssh()
 {
-    local cmd="$(prepare_ssh_cmd $1)"
+    local cmd="$(prepare_ssh_cmd $@)"
     fmt_note "-->" $cmd
     eval_or_echo $cmd
 }
@@ -153,12 +169,7 @@ run_sshl()
         # treat as a port number
         arg=localhost:$arg
     fi
-    while
-        local port=$(shuf -n 1 -i 49152-65535)
-        netstat -atun | grep -q "$port"
-    do
-        continue
-    done
+    local port=$(get_free_port)
 
     SSH_OPTIONS="$SSH_OPTIONS -NC -L $port:$arg"
     local cmd="$(prepare_ssh_cmd ssh)"
@@ -202,35 +213,38 @@ router() {
         print_help
         exit
     fi
-    parse_remote "$1"
-    case $2 in
-        -h|--help)
-            print_help
-            exit
-            ;;
-        ssh|"" )
-            run_ssh
-            ;;
-        zssh )
-            run_ssh zssh
-            ;;
-        sftp )
-            run_ssh sftp
-            ;;
-        sshl )
-            test -n "$3" || fmt_fatal "no target address provided"
-            run_sshl "$3"
-            ;;
-        scp )
-            test -n "$3" || fmt_fatal "no source path specified"
-            test -n "$4" || fmt_fatal "no destination path specified"
-            run_scp "$3" "$4"
-            ;;
-        * )
-            print_help
-            fmt_fatal "unknown command: $2"
-            ;;
-    esac
+
+    IFS=',' read -ra remotes <<< "$1"
+    for remote in "${remotes[@]}"; do
+        if [[ -z "$remote" ]]; then
+            continue
+        fi
+        parse_remote "$remote"
+        case $2 in
+            ssh|"" )
+                run_ssh ssh "${@:3}"
+                ;;
+            zssh )
+                run_ssh zssh
+                ;;
+            sftp )
+                run_ssh sftp
+                ;;
+            sshl )
+                test -n "$3" || fmt_fatal "no target address provided"
+                run_sshl "$3"
+                ;;
+            scp )
+                test -n "$3" || fmt_fatal "no source path specified"
+                test -n "$4" || fmt_fatal "no destination path specified"
+                run_scp "$3" "$4"
+                ;;
+            * )
+                print_help
+                fmt_fatal "unknown command: $2"
+                ;;
+        esac
+    done
 }
 
 router "${GOT_OPTS[@]}"

tools/common.sh

@@ -233,6 +233,31 @@ get_os_name()
     echo $ans
 }
 
+is_port_free() {
+    ( echo $1 | grep -qxE "[1-9][0-9]{0,4}" ) || false
+    local cmd
+    case $(get_os_type) in
+        macos ) cmd="netstat -van | grep -q \".$1\"" ;;
+        cygwin|msys ) cmd="netstat -ano | grep -q \":$1\"" ;;
+        *) cmd="netstat -tuanp | grep -q \":$1\"" ;;
+    esac
+    if eval $cmd; then
+        return 2
+    else
+        return 0
+    fi
+}
+
+get_free_port() {
+    while
+        local port=$(shuf -n 1 -i 49152-65535)
+        ! is_port_free $port
+    do
+        continue
+    done
+    echo $port
+}
+
 # if bash-ed, else source-d
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
     $1 "${@:2}"

tools/macos.sh

@@ -6,7 +6,7 @@ source "$THIS_DIR/common.sh"
 brew_install()
 {
     # brew update
-    brew install git zsh curl tmux vim util-linux
+    brew install git zsh curl tmux vim util-linux coreutils
 }
 
 router()

tools/sagent.sh

@@ -5,9 +5,14 @@ export DFS_COLOR=1
 source "$THIS_DIR/common.sh"
 
 
+SO_PATHS=(
+    "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"  # ubuntu 22.04
+    "/run/current-system/sw/lib/opensc-pkcs11.so"  # nixos 23.05
+    "/Library/OpenSC/lib/opensc-pkcs11.so"  # macos 13.4
+)
+
 find_so_file()
 {
-    local SO_PATHS=( "/usr/lib64/opensc-pkcs11.so" "/usr/local/lib/opensc-pkcs11.so" "/run/current-system/sw/lib/opensc-pkcs11.so" )
     local SO_FILE
     for SO_FILE in ${SO_PATHS[*]}; do
         if [[ -f "$SO_FILE" ]]; then
@@ -19,7 +24,8 @@ find_so_file()
 
 create_agent()
 {
-    ssh-agent -P "/usr/lib64/*,/usr/local/lib/*,/nix/store/*"
+    local IFS=","
+    ssh-agent -P "${SO_PATHS[*]}"
 }
 
 kill_agent()

tools/test.zsh

@@ -3,6 +3,12 @@
 set -ex
 trap "dfs beacon gh.ci.fail" ERR
 
+# fix for macos
+dfs cd
+if [[ $(./tools/common.sh get_os_type) == "macos" ]]; then
+    export PATH="/usr/local/opt/coreutils/libexec/gnubin:/opt/homebrew/opt/coreutils/libexec/gnubin:${PATH}"
+fi
+
 # check files
 cd /
 l
@@ -13,6 +19,7 @@ l
 pwd
 test -f .zshrc2
 diff -q ./.ssh/authorized_keys2 ~/.ssh/authorized_keys2
+diff -q ./.eid/authorized_certificates ~/.eid/authorized_certificates
 grep -q ".zshrc2" ~/.zshrc
 
 # check scripts and functions
@@ -31,7 +38,8 @@ test $(echo n | tools/common.sh ask_for_yN "test") = "0"
 test $(echo | tools/common.sh ask_for_yN "test") = "0"
 test $(echo | tools/common.sh ask_for_Yn "test") = "1"
 test $(DFS_QUIET=1 tools/common.sh ask_for_Yn "test") = "1"
-test "$(DFS_TRUST=1 riot time@is.impt:2222,yes@you-r.right,you@are.really.recht.,ibd.,try@it scp /tmp/ ./tmp -D 2>/dev/null)" = 'scp -P 12022 -o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes -o ProxyJump=time@is.impt:2222,yes@you-r.right,you@are.really.recht.,ibd. -r try@it.ibd.ink:"/tmp/" "./tmp"'
+test "$(DFS_TRUST=1 riot time@is.impt:2222/yes@you-r.right/you@are.really.recht./ibd./try@it,another@host scp /tmp/ ./tmp -D 2>/dev/null)" = 'scp -P 12022 -o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes -o ProxyJump=time@is.impt:2222,yes@you-r.right,you@are.really.recht.,ibd. -r try@it.ibd.ink:"/tmp/" "./tmp"
+scp -P 12022 -o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes -o ForwardX11=yes -o ForwardAgent=yes -r another@host.ibd.ink:"/tmp/" "./tmp"'
 
 # check alias
 alias p114

tools/to-install.sh

@@ -11,6 +11,7 @@ INSTALL_COMMANDS=(\
     [zerotier-one]='curl -s https://install.zerotier.com | sudo bash' \
     [docker-ce]='curl -fsSL https://get.docker.com | sudo bash -s - --mirror Aliyun #--dry-run' \
     [lemonbench]='curl -fsSL https://ilemonra.in/LemonBenchIntl | bash -s fast # or full' \
+    [nix]='sh <(curl -L https://nixos.org/nix/install) #--daemon' \
 )
 
 install()