212 lines
7.1 KiB
YAML
212 lines
7.1 KiB
YAML
kernel:
|
|
image: linuxkit/kernel:4.19.121
|
|
cmdline: "console=tty0 console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.format=/dev/sda quiet"
|
|
|
|
init:
|
|
- nemunaire/adlin-tuto2:a68d5f224331628dc525edf383ec7429dfe001b0
|
|
|
|
files:
|
|
- path: etc/hostname
|
|
contents: |
|
|
adlin2
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0644"
|
|
|
|
- path: etc/resolv.conf
|
|
contents: |
|
|
nameserver 9.9.9.10
|
|
nameserver 1.1.1.1
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0644"
|
|
|
|
- path: etc/systemd/network/49-main.link
|
|
contents: |
|
|
[Match]
|
|
OriginalName=eth0
|
|
[Link]
|
|
Name=eth0
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0644"
|
|
|
|
- path: etc/systemd/network/50-dhcp.network
|
|
contents: |
|
|
[Match]
|
|
Name=eth0
|
|
[Network]
|
|
DHCP=yes
|
|
IPv6AcceptRA=no
|
|
LinkLocalAddressing=no
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0644"
|
|
|
|
- path: init
|
|
contents: |
|
|
#!/bin/sh
|
|
|
|
# /proc/cmdline parser (from Gentoo Wiki)
|
|
cmdline() {
|
|
local value
|
|
value=" $(cat /proc/cmdline) "
|
|
value="${value#* $1=}"
|
|
value="${value%% *}"
|
|
[ "$value" != "" ] && echo "$value"
|
|
}
|
|
|
|
mount -n -t devtmpfs devtmpfs /dev
|
|
mount -n -t proc proc /proc
|
|
#mount -n -t tmpfs run /run
|
|
#mount -m -t sysfs sys /sys
|
|
|
|
INITDEBUG=$(cmdline adlin.debuginit)
|
|
[ -n "${INITDEBUG}" ] && /bin/busybox cttyhack ${INITDEBUG}
|
|
|
|
INITP=$(cmdline init)
|
|
[ -z "$INITP" ] && INITP=/lib/systemd/systemd
|
|
WGTOKEN=$(cmdline adlin.token)
|
|
|
|
|
|
ROOTFS=$(cmdline root)
|
|
[ -z "$ROOTFS" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; }
|
|
[ "$ROOTFS" = "/dev/sr0" ] && { echo "No root= provided, continuing on initramfs only."; exec "${INITP}"; }
|
|
[ -b "$ROOTFS" -a -z "$(cmdline adlin.alwaysformat)" ] || {
|
|
FORMATDD=$(cmdline adlin.format)
|
|
[ -b "$FORMATDD" ] && { echo "o\nn\np\n1\n\n\np\nw\nq\n" | fdisk "${FORMATDD}" && mkfs.ext4 -q "$FORMATDD"1; }
|
|
[ -b "$ROOTFS" ] || { echo "Invalid provided rootfs: not a valid block device."; exit 1; }
|
|
}
|
|
|
|
|
|
mkdir -p /overlay
|
|
/bin/mount -n -t tmpfs none /overlay
|
|
/bin/mkdir -p /overlay/rwdata
|
|
/bin/mkdir -p /overlay/robase
|
|
/bin/mkdir -p /overlay/combined
|
|
/bin/mount --bind / /overlay/robase
|
|
|
|
ovr_rwdata=/overlay/rwdata
|
|
ovr_robase=/overlay/robase
|
|
ovr_combined=/overlay/combined
|
|
|
|
# Prepare filesystem for local data storage...
|
|
/bin/mkdir -p ${ovr_rwdata}
|
|
/bin/mount -n "${ROOTFS}" ${ovr_rwdata} || { echo "Unable to mount rootfs."; exit 2; }
|
|
|
|
mkdir -p ${ovr_rwdata}/data
|
|
mkdir -p ${ovr_rwdata}/work
|
|
/bin/mount -n -t overlay -o upperdir=${ovr_rwdata}/data,workdir=${ovr_rwdata}/work,lowerdir=${ovr_robase} overlay ${ovr_combined} || { echo "Unable to create overlayfs."; exit 3; }
|
|
|
|
/bin/mkdir -p ${ovr_combined}/overlay/rwdata
|
|
/bin/mount -n --move ${ovr_rwdata} ${ovr_combined}/overlay/rwdata
|
|
/bin/mkdir -p ${ovr_combined}/overlay/robase
|
|
/bin/mount -n --move ${ovr_robase} ${ovr_combined}/overlay/robase
|
|
/bin/mkdir -p ${ovr_combined}/overlay/pivot
|
|
|
|
cd ${ovr_combined}
|
|
|
|
mount --move /dev dev
|
|
mount --move /proc proc
|
|
mount --move . /
|
|
/bin/umount -n /overlay
|
|
|
|
[ -f "etc/adlin.init" ] && source etc/adlin.init
|
|
|
|
# Setting up wireguard tunnel
|
|
[ -z "${WGTOKEN}" ] && [ -f "etc/adlin.token" ] && WGTOKEN=$(cat etc/adlin.token)
|
|
[ -z "${WGTOKEN}" ] && {
|
|
echo
|
|
echo -n "You didn't define your token to connect the network. Please copy it here now: "
|
|
read WGTOKEN
|
|
}
|
|
/bin/ip link set up dev eth0 || { /sbin/modprobe e1000; /bin/ip link set up dev eth0; }
|
|
/sbin/sysctl -w net.ipv6.conf.eth0.autoconf=0
|
|
/bin/busybox udhcpc -n -q
|
|
[ -f "etc/wireguard/adlin.conf" ] && WGPRVKEY=$(sed 's/^.*PrivateKey *= *//p;d' etc/wireguard/adlin.conf)
|
|
[ -z "${WGPRVKEY}" ] && WGPRVKEY=$(/usr/bin/wg genkey)
|
|
WGPUBKEY=$(echo $WGPRVKEY | /usr/bin/wg pubkey)
|
|
while ! { echo "[Interface]\nPrivateKey = ${WGPRVKEY}"; /usr/sbin/chroot . /usr/bin/curl -f -d '{"pubkey": "'$WGPUBKEY'"}' https://adlin.nemunai.re/api/wg/$(echo -n "$WGTOKEN" | /usr/bin/sha512sum | /usr/bin/cut -d ' ' -f 1); } > etc/wireguard/adlin.conf
|
|
do
|
|
echo ""
|
|
echo "****************************************"
|
|
echo "******* SWITCHING TO RESCUE MODE *******"
|
|
echo "****************************************"
|
|
echo ""
|
|
echo "Sorry, I was unable to establish a connection to adlin.nemunai.re."
|
|
echo "Please verify that your primary network interface can obtain an IPv4 through DHCP."
|
|
echo ""
|
|
echo "If curl report a 400 error, then you probably mistyped the token, you should reboot now."
|
|
echo ""
|
|
echo "Dropping to a shell, please fix your network, then press Ctrl+D or exit to retry."
|
|
echo ""
|
|
echo "****************************************"
|
|
echo ""
|
|
/bin/busybox cttyhack /usr/sbin/chroot . /bin/sh
|
|
echo "Retrying connection..."
|
|
done
|
|
echo -n "${WGTOKEN}" > etc/adlin.token
|
|
/sbin/modprobe wireguard
|
|
/bin/ip link add dev wg0 type wireguard
|
|
/usr/bin/wg setconf wg0 etc/wireguard/adlin.conf
|
|
/bin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' etc/wireguard/adlin.conf)
|
|
/bin/ip link set up dev wg0
|
|
/bin/ip -6 route del default
|
|
/bin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' etc/wireguard/adlin.conf) pref high
|
|
|
|
# Download intermediate fixes
|
|
curl -s -f -H "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm2 | sh
|
|
|
|
# Retrieve ssh keys
|
|
mkdir -p root/.ssh/
|
|
[ -f root/.ssh/authorized_keys ] || /usr/sbin/chroot . /usr/bin/curl -s -f https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' etc/wireguard/adlin.conf).keys > root/.ssh/authorized_keys
|
|
[ -f etc/ssh/ssh_host_rsa_key ] || /usr/sbin/chroot . ssh-keygen -A
|
|
|
|
# To the user
|
|
exec /usr/sbin/chroot . "${INITP}"
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0755"
|
|
|
|
# - path: etc/systemd/system/systemd-networkd.service.d/10-debug.conf
|
|
# contents: |
|
|
# [Service]
|
|
# Environment=SYSTEMD_LOG_LEVEL=debug
|
|
# uid: 0
|
|
# gid: 0
|
|
# mode: "0644"
|
|
|
|
- path: etc/shadow
|
|
contents: |
|
|
root:$6$dQXVLB.662ob0XJL$wRhh73Q.Z3mBRHhM0rSw96dE0bOFykfIXa2Z2ncu6WVSOpFLdv5J6Br9AHhalO4wwG3xgPqqhvCdEMdroR2r50:18336:0:99999:7:::
|
|
daemon:*:18316:0:99999:7:::
|
|
bin:*:18316:0:99999:7:::
|
|
sys:*:18316:0:99999:7:::
|
|
sync:*:18316:0:99999:7:::
|
|
games:*:18316:0:99999:7:::
|
|
man:*:18316:0:99999:7:::
|
|
lp:*:18316:0:99999:7:::
|
|
mail:*:18316:0:99999:7:::
|
|
news:*:18316:0:99999:7:::
|
|
uucp:*:18316:0:99999:7:::
|
|
proxy:*:18316:0:99999:7:::
|
|
www-data:*:18316:0:99999:7:::
|
|
backup:*:18316:0:99999:7:::
|
|
list:*:18316:0:99999:7:::
|
|
irc:*:18316:0:99999:7:::
|
|
gnats:*:18316:0:99999:7:::
|
|
nobody:*:18316:0:99999:7:::
|
|
_apt:*:18316:0:99999:7:::
|
|
systemd-timesync:*:18333:0:99999:7:::
|
|
systemd-network:*:18333:0:99999:7:::
|
|
systemd-resolve:*:18333:0:99999:7:::
|
|
sshd:*:18333:0:99999:7:::
|
|
uid: 0
|
|
gid: 0
|
|
mode: "0640"
|
|
|
|
trust:
|
|
org:
|
|
- linuxkit
|
|
- library
|