ghickman/authorized_keys

## authorized_keys
ssh-rsa <the Gateway's generated key> Gateway
ssh-rsa <the Satellite generated key> Satellite

ssh-rsa <the generated key> User 1
ssh-rsa <the generated key> User 2
ssh-rsa <the generated key> User 3

## bash_profile.sh
#!/bin/bash

alias ls='ls --color=auto'

# start ssh-agent
# pipe the keychain output to /dev/null or you'll see it everytime you ssh in
keychain id_airlock 2>/dev/null
[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
[ -f $HOME/.keychain/$HOSTNAME-sh ] && . $HOME/.keychain/$HOSTNAME-sh


# Colour the terminal.
#Green for the hostname as we're on the Airlock.
RED="\[\033[0;31m\]"
WHITE="\[\033[00m\]"

export PS1="$RED\h $WHITE\w$WHITE\$ "

## gitosis.conf
[gitosis]

[group gateway]
members = user1 user2
writable = gateway

[group satellite]
members = user1 user2
writable = satellite

[group users-auth]
members = user1 user2
writable = users-auth

## hosts.allow
# list of all the hosts with access to the system

# Gateway: 127.0.0.1, xxx.xxx.xxx.xxx
# Satellite 1: xxx.xxx.xxx.xxx
# Satellite 2: xxx.xxx.xxx.xxx
sshd: 127.0.0.1, xxx.xxx.xxx.xxx

## hosts.deny
# The PARANOID wildcard matches any host whose name does not match its
# address.
ALL: PARANOID

# Block all ssh connections - specific ips are allowed in hosts.allow
sshd: ALL

## iptables.rules
*filter
:INPUT ACCEPT [1:52]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

## post-receive [gateway]
#!/bin/bash
while read oldrev newrev refname
do
  if [ "$refname" == "refs/heads/master" ]; then
    WORKDIR=/home/office/source/airlock
    export GIT_DIR=$WORKDIR/.git
    pushd $WORKDIR >/dev/null
    git pull --quiet >/dev/null
    echo "===================================================="
    echo "Deployed Gateway config changes"
    echo "If changes were made to the iptables, you must run:"
    echo "sudo iptables-restore < /etc/iptables.up.rules"
    echo "to reapply them."
    echo "===================================================="
    popd >/dev/null
  fi
done

## ssh_config
Host gateway
HostName 127.0.0.1

Host sat1
HostName satellite1.example.com

Host *
AddressFamily inet
Port 12345
User office

## sshd_config
Port 12345
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
	ssh-rsa <the Gateway's generated key> Gateway
	ssh-rsa <the Satellite generated key> Satellite

	ssh-rsa <the generated key> User 1
	ssh-rsa <the generated key> User 2
	ssh-rsa <the generated key> User 3
	#!/bin/bash

	alias ls='ls --color=auto'

	# start ssh-agent
	# pipe the keychain output to /dev/null or you'll see it everytime you ssh in
	keychain id_airlock 2>/dev/null
	[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
	[ -f $HOME/.keychain/$HOSTNAME-sh ] && . $HOME/.keychain/$HOSTNAME-sh


	# Colour the terminal.
	#Green for the hostname as we're on the Airlock.
	RED="\[\033[0;31m\]"
	WHITE="\[\033[00m\]"

	export PS1="$RED\h $WHITE\w$WHITE\$ "
	[gitosis]

	[group gateway]
	members = user1 user2
	writable = gateway

	[group satellite]
	members = user1 user2
	writable = satellite

	[group users-auth]
	members = user1 user2
	writable = users-auth
	# list of all the hosts with access to the system

	# Gateway: 127.0.0.1, xxx.xxx.xxx.xxx
	# Satellite 1: xxx.xxx.xxx.xxx
	# Satellite 2: xxx.xxx.xxx.xxx
	sshd: 127.0.0.1, xxx.xxx.xxx.xxx
	# The PARANOID wildcard matches any host whose name does not match its
	# address.
	ALL: PARANOID

	# Block all ssh connections - specific ips are allowed in hosts.allow
	sshd: ALL
	*filter
	:INPUT ACCEPT [1:52]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
	-A INPUT -j REJECT --reject-with icmp-port-unreachable
	-A FORWARD -j REJECT --reject-with icmp-port-unreachable
	-A OUTPUT -j ACCEPT
	COMMIT
	#!/bin/bash
	while read oldrev newrev refname
	do
	if [ "$refname" == "refs/heads/master" ]; then
	WORKDIR=/home/office/source/airlock
	export GIT_DIR=$WORKDIR/.git
	pushd $WORKDIR >/dev/null
	git pull --quiet >/dev/null
	echo "===================================================="
	echo "Deployed Gateway config changes"
	echo "If changes were made to the iptables, you must run:"
	echo "sudo iptables-restore < /etc/iptables.up.rules"
	echo "to reapply them."
	echo "===================================================="
	popd >/dev/null
	fi
	done
	Host gateway
	HostName 127.0.0.1

	Host sat1
	HostName satellite1.example.com

	Host *
	AddressFamily inet
	Port 12345
	User office
	Port 12345
	PermitRootLogin no
	PubkeyAuthentication yes
	AuthorizedKeysFile %h/.ssh/authorized_keys
	PermitEmptyPasswords no
	PasswordAuthentication no