Bump ossf/scorecard-action from 2.1.2 to 2.1.3

.dockerignore

@@ -2,3 +2,4 @@
 .tmp/
 output/
 cache/
+userpatches/

.github/workflows/scorecard.yml

@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v1.1.1
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v1.1.1
         with:
           results_file: results.sarif
           results_format: sarif

.gitignore

@@ -2,9 +2,6 @@
 /.vagrant/
 ubuntu-*-cloudimg-console.log
 
-### to ignore changes in a working copy
-.ignore_changes
-
 ### compile configurations added by users
 /config-*.conf
 ### but not default (supplied) files
@@ -15,8 +12,6 @@ ubuntu-*-cloudimg-console.log
 /.tmp/
 /output/
 /cache/
-/*userpatches*/
-/userpatches
 
 ### General annoyances ###
 .DS_Store

btcpay-build.sh

@@ -0,0 +1,171 @@
+#!/bin/bash
+
+set -e
+
+HELP=true
+DEPLOY=false
+BUILD=false
+UPDATE=false
+DEPLOY_ON=""
+BOARD=""
+PROD=false
+while (( "$#" )); do
+  case "$1" in
+    deploy)
+      HELP=false
+      DEPLOY=true
+      shift 1
+      ;;
+    build)
+      BUILD=true
+      HELP=false
+      shift 1
+      ;;
+    update)
+      BUILD=true
+      UPDATE=true
+      HELP=false
+      shift 1
+      ;;
+    --production)
+        PROD=true
+        shift 1
+        ;;
+    --help)
+        HELP=true
+        shift 1
+        ;;
+    --deploy-on)
+        DEPLOY_ON="$2"
+        shift 2
+        ;;
+    --board)
+        BOARD="$2"
+        shift 2
+        ;;
+    --) # end argument parsing
+      shift
+      break
+      ;;
+    -*|--*=) # unsupported flags
+      echo "Error: Unsupported flag $1" >&2
+      exit 1
+      ;;
+    *) # preserve positional arguments
+      PARAMS="$PARAMS $1"
+      shift
+      ;;
+  esac
+done
+
+
+if $HELP; then cat <<-END
+Usage:
+------
+
+Build, update or deploy the armbian image
+
+    build: Build the kernel, u-boot and create the hack0 image
+    update: Create the hack0 image without rebuilding the kernel and u-book
+    deploy: Deploy the last built image on the --deploy-device
+    --deploy-on /dev/sda: Flash the image on the device /dev/sda
+    --board rock64: Create an image for rock64 (Available: rockpro64, rock64)
+    --production: Create a production image (will ignore build-local.conf)
+    --help: Show this help
+END
+fi
+
+if $BUILD; then
+    if ! [[ "$BOARD" ]]; then
+        echo "The board should be specified with --board (See --help)"
+        exit 1
+    fi
+    BUILD_ARGS="docker BOARD=${BOARD} KERNEL_ONLY=no KERNEL_CONFIGURE=no RELEASE=bullseye BRANCH=current BUILD_DESKTOP=no WIREGUARD=no BUILD_MINIMAL=yes FORCE_USE_RAMDISK=no "
+    if $UPDATE; then
+        BUILD_ARGS="${BUILD_ARGS} CLEAN_LEVEL=oldcache PROGRESS_LOG_TO_FILE=yes"
+    fi
+    pushd . 2>/dev/null
+    rm -f "userpatches/config-docker.conf" "userpatches/Dockerfile"
+    cd "userpatches/overlay"
+    OVERLAY_DIRECTORY="$(pwd)"
+    cd "$OVERLAY_DIRECTORY"
+    source build.conf
+
+    if $PROD; then
+        touch .production
+        echo "Building production image..."
+    else
+        echo "Building debug image..."
+        rm -rf .production
+        [ -f "build-local.conf" ] && source build-local.conf && echo "build-local.conf loaded"
+    fi
+    ! [ -d "btcpayserver-docker" ] && git clone "$BTCPAY_REPOSITORY"
+    cd btcpayserver-docker
+    git checkout "$BTCPAY_BRANCH"
+    git fetch origin
+    if ! git diff --quiet remotes/origin/HEAD || ! [ -f ../docker-images.tar ]; then
+        git pull
+        rm -f ../docker-images.tar
+        . ./build.sh -i
+        cd Generated
+        export BTCPAY_DOCKER_PULL_FLAGS="--platform arm64"
+        # https://github.com/docker/docker-ce/blob/master/components/cli/experimental/README.md
+        # Edit /etc/docker/daemon.json with "experimental": true
+        ./pull-images.sh
+        ./save-images.sh ../../docker-images.tar
+        # Do not mess up the build environment
+        export BTCPAY_DOCKER_PULL_FLAGS=""
+        ./pull-images.sh
+    else
+        echo "docker-images.tar is up to date"
+    fi
+    cd "$OVERLAY_DIRECTORY"
+    if ! [ -f "utxo-snapshot-bitcoin-mainnet-769818.tar" ]; then
+        set +e
+        rm utxo-snapshot-*.tar &> /dev/null
+        set -e
+        wget "http://utxosets.blob.core.windows.net/public/utxo-snapshot-bitcoin-mainnet-769818.tar" -c -q --show-progress
+    fi
+    popd
+
+    # Make sure built images are deleted
+    mkdir -p output/images
+    rm -rf output/images
+
+    time ./compile.sh ${BUILD_ARGS}
+fi
+
+
+if $DEPLOY; then
+    IMAGE="$(echo output/images/*.img)"
+    IMAGE_SHA="$(echo output/images/*.img.sha)"
+    if ! [[ "$IMAGE" ]] || ! [ -f "$IMAGE" ]; then
+        echo "No image were found in output/images"
+        exit 1
+    fi
+    if ! [[ "$DEPLOY_ON" ]]; then
+        echo "The deployment device target should be specified with --deploy-on (See --help)"
+        exit 1
+    fi
+
+    if ! lsblk "$DEPLOY_ON" 2>/dev/null; then
+        echo "Device $DEPLOY_ON is not available"
+        exit 1
+    fi
+
+    echo "Writing image" "$DEPLOY_ON" "info"
+    ifsha=$(cat $IMAGE_SHA | awk '{print $1}')
+
+    [[ -x "$(command -v pv)" ]] || apt-get install -y pv
+
+    pv -p -b -r -c -N "[ .... ] dd" $IMAGE | dd of=$DEPLOY_ON bs=1M iflag=fullblock oflag=direct status=none
+    echo "Verifying. Please wait!"
+    ofsha=$(dd if=$DEPLOY_ON count=$(du -b $IMAGE | cut -f1) status=none iflag=count_bytes oflag=direct | sha256sum | awk '{print $1}')
+
+    if [[ $ifsha == $ofsha ]]; then
+        echo "Writing succeeded" "$IMAGE" "info"
+    else
+        echo "Writing failed" "$IMAGE" "err"
+        exit 1
+    fi
+fi

userpatches/.gitignore

@@ -0,0 +1,7 @@
+Dockerfile
+README
+Vagrantfile
+config-default.conf
+config-docker.conf
+config-example.conf
+config-vagrant.conf

userpatches/README.md

@@ -0,0 +1,88 @@
+# Image customization
+
+## Pre requisite
+
+You need to have docker installed with experimental features enabled:
+
+In your `/etc/docker/daemon.json`, make sure you have
+
+```json
+{
+    "experimental": true
+}
+```
+
+Then reload docker with ```systemctl restart docker```.
+
+## Common workflow
+
+The common development workflow is the following:
+
+1. The first time you build an image for a board, run ```./btcpay-build.sh build --board rockpro64```, this will build the kernel, u-boot and the hack0 image for rockpro64.
+2. Then, if you modify any document in this folder (`userpatches`), you can recreate an image without re-building the kernel and u-boot with ```./btcpay-build.sh update --board rockpro64```
+3. You can also customize the environment variables documented in [BTCPay Server](https://github.com/btcpayserver/btcpayserver-docker) locally by adding them to `overlay/build-local.conf`, this will override [overlay/build.conf](overlay/build.conf) settings. Note that the `build-local.conf` file is ignored when building a production image.
+4. Once you are satisfied with the image you can deploy to the device, for example, assuming your SD card is on `/dev/sdd` you would run ```./btcpay-build.sh deploy --deploy-on /dev/sdd```.
+
+Note that you can run several actions at the same time, for example this will update the image and deploy: ```./btcpay-build.sh update deploy --board rockpro64 --deploy-on /dev/sdd```.
+
+During the first start, hack0 is in `setup mode`, the setup mode will:
+
+1. Format any attached SSD or NVMe disk
+2. Load docker images
+3. Set mount bind so bitcoin's data directory is saved on the SSD/NVMe disk
+4. Deploy a UTXO set snapshot in this directory
+5. Start BTCPay Server, and test if the connectivity works correctly
+6. Stop BTCPay Server and delete data created during the setup mode
+
+For 10 minutes, you will see the red light on and the white light blinking.
+When the red light is off, and the white light stopped blinking and stays on, the setup ran successfully. Unplug the hack0, and the unit is ready to be shipped. The next boot will not run in setup mode.
+
+If the red light does not get off, something failed and the hack0 could not be properly configured and you need to flash again the image on the SD Card.
+
+## Architecture
+
+hack0-armbian is a fork of [armbian](https://github.com/armbian/build) with patches specific to hack0.
+
+Here are what our patches do:
+1. Format any attached SSD or NVMe disk
+2. Load docker images
+3. Set mount bind so bitcoin's data directory is saved on the SSD/NVMe disk
+4. Deploy a UTXO set snapshot in this directory
+5. Setup fan to cool down the processor if it becomes too hot
+6. Setup the btcpay-test which signal when the hack0 is ready to be used.
+7. Setup mDNS so the local domain name `hack0.local` can be used to find your hack0
+
+`btcpay-test` controls two leds (red and white) on the rock64. When starting, the red light is on, and the white led is blinking. Once hack0 is ready to be used, the red light is off and the white led stays on.
+
+## Pre built images
+
+> :warning: When you first boot a prebuilt images, the hack0 will be in  `setup mode`, which will wipe all data in the SSD drive to the board. Please read `Common workflow` section above.
+
+### Version 0.6
+
+Image: https://hack0-image.s3.amazonaws.com/hack0-rockpro64-0.8.img
+
+sha256sum: 5fac50f8083f3349a95b4d38534c223c26f47507a3d30f106d1efe570254cedd
+
+Release date: 8 January 2023
+
+## FAQ
+
+### How can I change the local domain name?
+
+By default the hack0 will be named `hack0.local` on your network.
+If you want to change to `example.local`, add `HACK0_HOSTNAME=example` to `overlay/build-local.conf`.
+
+### How can I configure the image to allow SSH connection with my public key? 
+
+1. Copy your ssh public key in a `overlay/authorized_keys`.
+2. In `overlay/build-local.conf`, add `HACK0_LOAD_AUTHORIZED_KEYS=true`.
+
+### How can I create a production image?
+
+A production image will ignore `overlay/build-local.conf`, just run `./btcpay-build.sh build --production`.
+
+### How to customize the BTCPay Server install
+
+We are setting up BTCPay Server thanks to the [docker install](https://github.com/btcpayserver/btcpayserver-docker).
+You can customize the environment variables documented in [the repository](https://github.com/btcpayserver/btcpayserver-docker) and add them to `overlay/build-local.conf` to customize your installation.

userpatches/customize-image.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+set -e
+
+echo "Running BTCPayServer armbian customization script..."
+
+# Disable ssh password auth
+echo root:root | chpasswd
+sed -i '/PASSWORDAUTHENTICATION/Ic\PasswordAuthentication no' /etc/ssh/sshd_config
+
+export LANG=C LC_ALL="en_US.UTF-8"
+export DEBIAN_FRONTEND=noninteractive
+export APT_LISTCHANGES_FRONTEND=none
+
+OVERLAY="/tmp/overlay"
+DESTINATION="/root"
+
+source "$OVERLAY/build.conf"
+! [ -f "$OVERLAY/.production" ] && [ -f "$OVERLAY/build-local.conf" ] && source "$OVERLAY/build-local.conf"
+
+$SETUP_MODE && touch "$DESTINATION/.setup-mode"
+$SETUP_MODE && $SETUP_CLEANUP && echo "clean" > "$DESTINATION/.setup-mode"
+
+if $HACK0_LOAD_AUTHORIZED_KEYS && [ -f "$OVERLAY/authorized_keys" ]; then
+    mkdir -p "/root/.ssh"
+    cp "$OVERLAY/authorized_keys" "/root/.ssh/authorized_keys"
+    echo "SSH keys copied"
+fi
+
+apt update
+apt upgrade -y
+apt install -y git
+
+# Customize the Motd with hack0 header
+echo "MOTD_DISABLE='header'" >> /etc/default/armbian-motd
+cp -af "$OVERLAY/10-hack0-header" /etc/update-motd.d/
+
+####### Setup BTCPayServer
+# Note that we can't install here because we can't use docker in the chroot
+# Instead, we copy the images in a tar, and we will load them up
+# during the first run.
+cp -af "$OVERLAY/docker-images.tar" "$DESTINATION/docker-images.tar"
+cp -af $OVERLAY/utxo-snapshot-*.tar "$DESTINATION/"
+git clone "$OVERLAY/btcpayserver-docker" "$DESTINATION/btcpayserver-docker"
+cd "$DESTINATION/btcpayserver-docker"
+git remote set-url origin "$BTCPAY_REPOSITORY"
+git checkout "$BTCPAY_BRANCH"
+git pull
+echo "$HACK0_HOSTNAME" > /etc/hostname
+hostname -F /etc/hostname
+BTCPAY_HOST="$HACK0_HOSTNAME.local"
+REVERSEPROXY_DEFAULT_HOST="$BTCPAY_HOST"
+source btcpay-setup.sh --docker-unavailable --install-only --no-startup-register
+# Register btcpay-init
+mkdir -p /opt/btcpay
+cp -af "$OVERLAY/btcpay-init.sh" "/opt/btcpay/"
+cp -af "$OVERLAY/btcpay-init.service" "/etc/systemd/system/"
+systemctl --no-reload enable btcpay-init.service
+
+cp -af "$OVERLAY/btcpay-setup-external-drive.sh" "/opt/btcpay/"
+cp -af "$OVERLAY/btcpay-setup-external-drive.service" "/etc/systemd/system/"
+systemctl --no-reload enable btcpay-setup-external-drive
+
+cp -af "$OVERLAY/fancontrol.sh" "/opt/btcpay/"
+cp -af "$OVERLAY/fancontrol.service" "/etc/systemd/system/"
+systemctl --no-reload enable fancontrol
+
+cp -af "$OVERLAY/btcpay-test.sh" "/opt/btcpay/"
+cp -af "$OVERLAY/btcpay-test.service" "/etc/systemd/system/"
+systemctl --no-reload enable btcpay-test
+
+cp -af "$OVERLAY/btcpay-common.sh" "/opt/btcpay/btcpay-common.sh"
+############
+
+####### Setup WIFI (if supported by the board)
+if [[ "$WIFI_SSID" ]]; then
+    rm -f /boot/armbian_first_run.txt.template
+    echo "FR_net_change_defaults=1
+FR_net_wifi_enabled=1
+FR_net_wifi_ssid='$WIFI_SSID'
+FR_net_wifi_key='$WIFI_PW'
+FR_general_delete_this_file_after_completion=1" > /boot/armbian_first_run.txt
+fi
+#######
+
+#### Without this, port 53 (DNS) is taken by the OS and pihole can't work
+
+sed -r -i 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
+
+####### Setup mdns
+adduser --system --group          --disabled-login --home /var/run/avahi-daemon   avahi
+apt install -y openssl net-tools fio libnss-mdns \
+                avahi-daemon avahi-discover avahi-utils \
+                fail2ban acl ifmetric
+sed -i '/PUBLISH-WORKSTATION/Ic\publish-workstation=yes' /etc/avahi/avahi-daemon.conf
+#######
+