This repository has been archived on 2024-03-03. You can view files and clone it, but cannot push or open issues or pull requests.
adlin/tuto2.yml

212 lines
7.1 KiB
YAML

kernel:
image: linuxkit/kernel:4.19.121
cmdline: "console=tty0 console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.format=/dev/sda quiet"
init:
- nemunaire/adlin-tuto2:a68d5f224331628dc525edf383ec7429dfe001b0
files:
- path: etc/hostname
contents: |
adlin2
uid: 0
gid: 0
mode: "0644"
- path: etc/resolv.conf
contents: |
nameserver 9.9.9.10
nameserver 1.1.1.1
uid: 0
gid: 0
mode: "0644"
- path: etc/systemd/network/49-main.link
contents: |
[Match]
OriginalName=eth0
[Link]
Name=eth0
uid: 0
gid: 0
mode: "0644"
- path: etc/systemd/network/50-dhcp.network
contents: |
[Match]
Name=eth0
[Network]
DHCP=yes
IPv6AcceptRA=no
LinkLocalAddressing=no
uid: 0
gid: 0
mode: "0644"
- path: init
contents: |
#!/bin/sh
# /proc/cmdline parser (from Gentoo Wiki)
cmdline() {
local value
value=" $(cat /proc/cmdline) "
value="${value#* $1=}"
value="${value%% *}"
[ "$value" != "" ] && echo "$value"
}
mount -n -t devtmpfs devtmpfs /dev
mount -n -t proc proc /proc
#mount -n -t tmpfs run /run
#mount -m -t sysfs sys /sys
INITDEBUG=$(cmdline adlin.debuginit)
[ -n "${INITDEBUG}" ] && /bin/busybox cttyhack ${INITDEBUG}
INITP=$(cmdline init)
[ -z "$INITP" ] && INITP=/lib/systemd/systemd
WGTOKEN=$(cmdline adlin.token)
ROOTFS=$(cmdline root)
[ -z "$ROOTFS" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; }
[ "$ROOTFS" = "/dev/sr0" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; }
[ -b "$ROOTFS" -a -z "$(cmdline adlin.alwaysformat)" ] || {
FORMATDD=$(cmdline adlin.format)
[ -b "$FORMATDD" ] && { echo "o\nn\np\n1\n\n\np\nw\nq\n" | fdisk "${FORMATDD}" && mkfs.ext4 -q "$FORMATDD"1; }
[ -b "$ROOTFS" ] || { echo "Invalid provided rootfs: not a valid block device."; exit 1; }
}
mkdir -p /overlay
/bin/mount -n -t tmpfs none /overlay
/bin/mkdir -p /overlay/rwdata
/bin/mkdir -p /overlay/robase
/bin/mkdir -p /overlay/combined
/bin/mount --bind / /overlay/robase
ovr_rwdata=/overlay/rwdata
ovr_robase=/overlay/robase
ovr_combined=/overlay/combined
# Prepare filesystem for local data storage...
/bin/mkdir -p ${ovr_rwdata}
/bin/mount -n "${ROOTFS}" ${ovr_rwdata} || { echo "Unable to mount rootfs."; exit 2; }
mkdir -p ${ovr_rwdata}/data
mkdir -p ${ovr_rwdata}/work
/bin/mount -n -t overlay -o upperdir=${ovr_rwdata}/data,workdir=${ovr_rwdata}/work,lowerdir=${ovr_robase} overlay ${ovr_combined} || { echo "Unable to create overlayfs."; exit 3; }
/bin/mkdir -p ${ovr_combined}/overlay/rwdata
/bin/mount -n --move ${ovr_rwdata} ${ovr_combined}/overlay/rwdata
/bin/mkdir -p ${ovr_combined}/overlay/robase
/bin/mount -n --move ${ovr_robase} ${ovr_combined}/overlay/robase
/bin/mkdir -p ${ovr_combined}/overlay/pivot
cd ${ovr_combined}
mount --move /dev dev
mount --move /proc proc
mount --move . /
/bin/umount -n /overlay
[ -f "etc/adlin.init" ] && source etc/adlin.init
# Setting up wireguard tunnel
[ -z "${WGTOKEN}" ] && [ -f "etc/adlin.token" ] && WGTOKEN=$(cat etc/adlin.token)
[ -z "${WGTOKEN}" ] && {
echo
echo -n "You didn't define your token to connect the network. Please copy it here now: "
read WGTOKEN
}
/bin/ip link set up dev eth0 || { /sbin/modprobe e1000; /bin/ip link set up dev eth0; }
/sbin/sysctl -w net.ipv6.conf.eth0.autoconf=0
/bin/busybox udhcpc -n -q
[ -f "etc/wireguard/adlin.conf" ] && WGPRVKEY=$(sed 's/^.*PrivateKey *= *//p;d' etc/wireguard/adlin.conf)
[ -z "${WGPRVKEY}" ] && WGPRVKEY=$(/usr/bin/wg genkey)
WGPUBKEY=$(echo $WGPRVKEY | /usr/bin/wg pubkey)
while ! { echo "[Interface]\nPrivateKey = ${WGPRVKEY}"; /usr/sbin/chroot . /usr/bin/curl -f -d '{"pubkey": "'$WGPUBKEY'"}' https://adlin.nemunai.re/api/wg/$(echo -n "$WGTOKEN" | /usr/bin/sha512sum | /usr/bin/cut -d ' ' -f 1); } > etc/wireguard/adlin.conf
do
echo ""
echo "****************************************"
echo "******* SWITCHING TO RESCUE MODE *******"
echo "****************************************"
echo ""
echo "Sorry, I was unable to establish a connection to adlin.nemunai.re."
echo "Please verify that your primary network interface can obtain an IPv4 through DHCP."
echo ""
echo "If curl report a 400 error, then you probably mistyped the token, you should reboot now."
echo ""
echo "Dropping to a shell, please fix your network, then press Ctrl+D or exit to retry."
echo ""
echo "****************************************"
echo ""
/bin/busybox cttyhack /usr/sbin/chroot . /bin/sh
echo "Retrying connection..."
done
echo -n "${WGTOKEN}" > etc/adlin.token
/sbin/modprobe wireguard
/bin/ip link add dev wg0 type wireguard
/usr/bin/wg setconf wg0 etc/wireguard/adlin.conf
/bin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' etc/wireguard/adlin.conf)
/bin/ip link set up dev wg0
/bin/ip -6 route del default
/bin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' etc/wireguard/adlin.conf) pref high
# Download intermediate fixes
curl -s -f -H "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm2 | sh
# Retrieve ssh keys
mkdir -p root/.ssh/
[ -f root/.ssh/authorized_keys ] || /usr/sbin/chroot . /usr/bin/curl -s -f https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' etc/wireguard/adlin.conf).keys > root/.ssh/authorized_keys
[ -f etc/ssh/ssh_host_rsa_key ] || /usr/sbin/chroot . ssh-keygen -A
# To the user
exec /usr/sbin/chroot . "${INITP}"
uid: 0
gid: 0
mode: "0755"
# - path: etc/systemd/system/systemd-networkd.service.d/10-debug.conf
# contents: |
# [Service]
# Environment=SYSTEMD_LOG_LEVEL=debug
# uid: 0
# gid: 0
# mode: "0644"
- path: etc/shadow
contents: |
root:$6$dQXVLB.662ob0XJL$wRhh73Q.Z3mBRHhM0rSw96dE0bOFykfIXa2Z2ncu6WVSOpFLdv5J6Br9AHhalO4wwG3xgPqqhvCdEMdroR2r50:18336:0:99999:7:::
daemon:*:18316:0:99999:7:::
bin:*:18316:0:99999:7:::
sys:*:18316:0:99999:7:::
sync:*:18316:0:99999:7:::
games:*:18316:0:99999:7:::
man:*:18316:0:99999:7:::
lp:*:18316:0:99999:7:::
mail:*:18316:0:99999:7:::
news:*:18316:0:99999:7:::
uucp:*:18316:0:99999:7:::
proxy:*:18316:0:99999:7:::
www-data:*:18316:0:99999:7:::
backup:*:18316:0:99999:7:::
list:*:18316:0:99999:7:::
irc:*:18316:0:99999:7:::
gnats:*:18316:0:99999:7:::
nobody:*:18316:0:99999:7:::
_apt:*:18316:0:99999:7:::
systemd-timesync:*:18333:0:99999:7:::
systemd-network:*:18333:0:99999:7:::
systemd-resolve:*:18333:0:99999:7:::
sshd:*:18333:0:99999:7:::
uid: 0
gid: 0
mode: "0640"
trust:
org:
- linuxkit
- library