kernel: image: linuxkit/kernel:5.15.110 cmdline: "console=tty0 console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.format=/dev/sda quiet" init: - nemunaire/adlin-tuto2:5a42a080ac2644e92aef80647f37580c5dda1d01 files: - path: etc/hostname contents: | adlin2 uid: 0 gid: 0 mode: "0644" - path: etc/resolv.conf contents: | nameserver 9.9.9.10 nameserver 1.1.1.1 uid: 0 gid: 0 mode: "0644" - path: etc/systemd/network/49-main.link contents: | [Match] OriginalName=eth0 [Link] Name=eth0 uid: 0 gid: 0 mode: "0644" - path: etc/systemd/network/50-dhcp.network contents: | [Match] Name=eth0 [Network] DHCP=yes IPv6AcceptRA=no LinkLocalAddressing=no uid: 0 gid: 0 mode: "0644" - path: init contents: | #!/bin/sh # /proc/cmdline parser (from Gentoo Wiki) cmdline() { local value value=" $(cat /proc/cmdline) " value="${value#* $1=}" value="${value%% *}" [ "$value" != "" ] && echo "$value" } mount -n -t devtmpfs devtmpfs /dev mount -n -t proc proc /proc #mount -n -t tmpfs run /run #mount -m -t sysfs sys /sys INITDEBUG=$(cmdline adlin.debuginit) [ -n "${INITDEBUG}" ] && /bin/busybox cttyhack ${INITDEBUG} INITP=$(cmdline init) [ -z "$INITP" ] && INITP=/lib/systemd/systemd WGTOKEN=$(cmdline adlin.token) ROOTFS=$(cmdline root) [ -z "$ROOTFS" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; } [ "$ROOTFS" = "/dev/sr0" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; } [ -b "$ROOTFS" -a -z "$(cmdline adlin.alwaysformat)" ] || { FORMATDD=$(cmdline adlin.format) [ -b "$FORMATDD" ] && { echo "o\nn\np\n1\n\n\np\nw\nq\n" | fdisk "${FORMATDD}" && mkfs.ext4 -q "$FORMATDD"1; } [ -b "$ROOTFS" ] || { echo "Invalid provided rootfs: not a valid block device."; exit 1; } } mkdir -p /overlay /bin/mount -n -t tmpfs none /overlay /bin/mkdir -p /overlay/rwdata /bin/mkdir -p /overlay/robase /bin/mkdir -p /overlay/combined /bin/mount --bind / /overlay/robase ovr_rwdata=/overlay/rwdata ovr_robase=/overlay/robase ovr_combined=/overlay/combined # Prepare filesystem for local data storage... /bin/mkdir -p ${ovr_rwdata} /bin/mount -n "${ROOTFS}" ${ovr_rwdata} || { echo "Unable to mount rootfs."; exit 2; } mkdir -p ${ovr_rwdata}/data mkdir -p ${ovr_rwdata}/work /bin/mount -n -t overlay -o upperdir=${ovr_rwdata}/data,workdir=${ovr_rwdata}/work,lowerdir=${ovr_robase} overlay ${ovr_combined} || { echo "Unable to create overlayfs."; exit 3; } /bin/mkdir -p ${ovr_combined}/overlay/rwdata /bin/mount -n --move ${ovr_rwdata} ${ovr_combined}/overlay/rwdata /bin/mkdir -p ${ovr_combined}/overlay/robase /bin/mount -n --move ${ovr_robase} ${ovr_combined}/overlay/robase /bin/mkdir -p ${ovr_combined}/overlay/pivot cd ${ovr_combined} mount --move /dev dev mount --move /proc proc mount --move . / /bin/umount -n /overlay [ -f "etc/adlin.init" ] && source etc/adlin.init # Setting up wireguard tunnel [ -z "${WGTOKEN}" ] && [ -f "etc/adlin.token" ] && WGTOKEN=$(cat etc/adlin.token) [ -z "${WGTOKEN}" ] && { echo echo -n "You didn't define your token to connect the network. Please copy it here now: " read WGTOKEN } /bin/ip link set up dev eth0 || { /sbin/modprobe e1000; /bin/ip link set up dev eth0; } /sbin/sysctl -w net.ipv6.conf.eth0.autoconf=0 /bin/busybox udhcpc -n -q [ -f "etc/wireguard/adlin.conf" ] && WGPRVKEY=$(sed 's/^.*PrivateKey *= *//p;d' etc/wireguard/adlin.conf) [ -z "${WGPRVKEY}" ] && WGPRVKEY=$(/usr/bin/wg genkey) WGPUBKEY=$(echo $WGPRVKEY | /usr/bin/wg pubkey) while ! { echo "[Interface]\nPrivateKey = ${WGPRVKEY}"; /usr/sbin/chroot . /usr/bin/curl -f -d '{"pubkey": "'$WGPUBKEY'"}' https://adlin.nemunai.re/api/wg/$(echo -n "$WGTOKEN" | /usr/bin/sha512sum | /usr/bin/cut -d ' ' -f 1); } > etc/wireguard/adlin.conf do echo "" echo "****************************************" echo "******* SWITCHING TO RESCUE MODE *******" echo "****************************************" echo "" echo "Sorry, I was unable to establish a connection to adlin.nemunai.re." echo "Please verify that your primary network interface can obtain an IPv4 through DHCP." echo "" echo "If curl report a 400 error, then you probably mistyped the token, you should reboot now." echo "" echo "Dropping to a shell, please fix your network, then press Ctrl+D or exit to retry." echo "" echo "****************************************" echo "" /bin/busybox cttyhack /usr/sbin/chroot . /bin/sh echo "Retrying connection..." done echo -n "${WGTOKEN}" > etc/adlin.token /sbin/modprobe wireguard /bin/ip link add dev wg0 type wireguard /usr/bin/wg setconf wg0 etc/wireguard/adlin.conf /bin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' etc/wireguard/adlin.conf) /bin/ip link set up dev wg0 /bin/ip -6 route del default /bin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' etc/wireguard/adlin.conf) pref high # Download intermediate fixes curl -s -f -H "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm2 | sh # Retrieve ssh keys mkdir -p root/.ssh/ [ -s root/.ssh/authorized_keys ] || /usr/sbin/chroot . /usr/bin/curl -s -f https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' etc/wireguard/adlin.conf).keys > root/.ssh/authorized_keys [ -f etc/ssh/ssh_host_rsa_key ] || /usr/sbin/chroot . ssh-keygen -A # To the user exec /usr/sbin/chroot . "${INITP}" uid: 0 gid: 0 mode: "0755" # - path: etc/systemd/system/systemd-networkd.service.d/10-debug.conf # contents: | # [Service] # Environment=SYSTEMD_LOG_LEVEL=debug # uid: 0 # gid: 0 # mode: "0644" - path: etc/shadow contents: | root:$y$j9T$.GjDIyRkcMni489J0rTPS0$.TecjwXa3nlysU16kk7KFIZ2QLIA66Jt5ZG39aE7hf1:18336:0:99999:7::: daemon:*:18316:0:99999:7::: bin:*:18316:0:99999:7::: sys:*:18316:0:99999:7::: sync:*:18316:0:99999:7::: games:*:18316:0:99999:7::: man:*:18316:0:99999:7::: lp:*:18316:0:99999:7::: mail:*:18316:0:99999:7::: news:*:18316:0:99999:7::: uucp:*:18316:0:99999:7::: proxy:*:18316:0:99999:7::: www-data:*:18316:0:99999:7::: backup:*:18316:0:99999:7::: list:*:18316:0:99999:7::: irc:*:18316:0:99999:7::: gnats:*:18316:0:99999:7::: nobody:*:18316:0:99999:7::: _apt:*:18316:0:99999:7::: systemd-timesync:*:18333:0:99999:7::: systemd-network:*:18333:0:99999:7::: systemd-resolve:*:18333:0:99999:7::: sshd:*:18333:0:99999:7::: uid: 0 gid: 0 mode: "0640" trust: org: - linuxkit - library