initial configuration templates

.gitignore

@@ -0,0 +1,9 @@
+
+# user configurations
+*.env
+!example.env
+
+# generated files
+combustion/config
+files/etc/ssh/sshd_config.d/sshd_server.conf
+files/*.pub

combustion/modules/install

@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+
+echo "         ... installing packages"
+
+if [ -z "$combustion_install_packages" ]; then
+  exit 0
+fi
+
+# no-op for now
+# todo detect package manager and install packages

combustion/modules/install_zypper

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+echo "         ... zypper install"
+
+# todo: possibly check for package managers?
+
+zypper install -y --auto-agree-with-product-licenses $combustion_install_packages

combustion/modules/upgrade

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+# no-op
+# todo: detect package manager and run that

combustion/modules/upgrade_zypper

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+echo "         ... dist upgrade"
+zypper --no-cd dup -y --auto-agree-with-product-licenses

combustion/script

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# combustion: network
+
+if [ -z "$TTY" ]; then
+  TTY=/dev/tty0
+  echo "TTY was not set, use $TTY" >> "$TTY"
+fi
+
+echo "Combusting..." >> "$TTY"
+
+if ! [ -f config ]; then
+  echo "[combustion] script: missing config file" >> "$TTY"
+  exit 1
+fi
+
+#set -a # automatically export all variables
+source config
+#set +a
+
+## Mount /var and /home so user can be created smoothly
+# (already mounted via igniton)
+#mount /var
+#mount /home
+
+for module in $modules; do
+  echo "[combustion] Running module $module ..." >> "$TTY"
+  "./modules/$module" >> "$TTY"
+  echo "[combustion] Module $module done." >> "$TTY"
+done
+
+## Clear up mounts
+#umount /var
+#umount /home
+
+echo "Combustion done" >> "$TTY"

example.env

@@ -0,0 +1,11 @@
+ign_hostname=
+ign_user=
+# hash, created with e.g. `mkpasswd --method=yescrypt` from the whois package or `openssl passwd -6`
+ign_password_hash=''
+ign_ssh_public_key_location=
+ign_sshd_port=
+
+combustion_script_modules=""
+combustion_install_packages=""
+
+combustion_ntfy_topic=

files/etc/ssh/sshd_config.d/port_forwarding.conf

@@ -0,0 +1,9 @@
+AllowStreamLocalForwarding yes
+AllowTcpForwarding yes
+PermitTunnel yes
+MaxSessions 64
+
+PrintLastLog yes
+
+StreamLocalBindUnlink yes
+GatewayPorts yes

files/etc/ssh/sshd_config.d/security.conf

@@ -0,0 +1,14 @@
+# Check if the file modes and ownership of the user’s files and
+# home directory are correct before allowing them to login
+StrictModes yes
+
+# Disable password authentication and allow only public key authentication
+# for all users
+PasswordAuthentication no
+PermitRootLogin no
+
+# Length of time the server waits for a user to log in and complete the
+# connection. The default is 120 seconds:
+LoginGraceTime 60
+# Limit the number of failed connection attempts. The default is 6
+MaxAuthTries 4

files/firstbootreboot.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=First Boot Reboot
+
+[Service]
+Type=oneshot
+ExecStart=rm /etc/systemd/system/firstbootreboot.service
+ExecStart=rm /etc/systemd/system/default.target.wants/firstbootreboot.service
+ExecStart=systemctl reboot
+
+[Install]
+WantedBy=default.target

generate-ignition.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env sh
+
+# determine butane binary
+if [ -z "$ign_butane_bin" ]; then
+  if command -v butane &> /dev/null; then
+    ign_butane_bin=$(command -v butane)
+  elif command -v podman &> /dev/null; then
+    ign_butane_bin="podman run -i --rm --volume ${PWD}:/pwd --workdir /pwd --security-opt label=disable quay.io/coreos/butane:release"
+  elif command -v docker &> /dev/null; then
+    ign_butane_bin="docker run -i --rm --volume ${PWD}:/pwd --workdir /pwd --security-opt label=disable quay.io/coreos/butane:release"
+  else
+    echo "ign_butane_bin is not set and could not find a butane or podman/docker binary."
+    exit 1
+  fi
+fi
+
+if ! command -v envsubst &> /dev/null; then
+  echo "envsubst from the gettext package required for env substitute is missing. Aborting..."
+  exit 1
+fi
+
+# go through required env vars and ask for value if not set
+if [ -z "${ign_hostname}" ]; then
+  read -p "ign_hostname is not set. Set value: " ign_hostname
+  export ign_hostname
+fi
+
+if [ -z "${ign_user}" ]; then
+  read -p "ign_user is not set. Set value: " ign_user
+  export ign_user
+fi
+
+if [ -z "$ign_password_hash" ]; then
+  echo "No password hash set in ign_password_hash - generating a new one?"
+  if command -v mkpasswd &> /dev/null; then
+    export ign_password_hash=$(mkpasswd --method=yescrypt)
+  elif command -v openssl &> /dev/null; then
+    export ign_password_hash=$(openssl passwd -6)
+  else
+    echo "Neither mkpasswd nor openssl found for generating a password. Exiting."
+    exit 1
+  fi
+fi
+
+if [ -z "$ign_ssh_public_key" ]; then
+  if [ -z "${ign_ssh_public_key_location}" ]; then
+    read -p "ign_ssh_public_key_location is not set. Set value: " ign_ssh_public_key_location
+  fi
+  export ign_ssh_public_key=$(cat "$ign_ssh_public_key_location")
+fi
+
+
+printf "\n---------\nUsing the following configuration:\n\n"
+env | grep ign_
+printf "\n---------\n"
+read -p "Continue with this configuration? [Y/n] " confirmation
+case $confirmation in
+  Y|y|'') echo ;;
+  *) echo "Aborted..." ; exit 0 ;;
+esac
+
+envsubst <templates/sshd_server.conf '$ign_sshd_port $ign_user' >files/etc/ssh/sshd_config.d/sshd_server.conf
+
+# substitute these variables via sed and feed it into butane
+envsubst <templates/ignition.yaml '$ign_hostname $ign_user $ign_password_hash $ign_ssh_public_key' \
+  | $ign_butane_bin --pretty --strict --files-dir=files >ignition/config.ign

ignition/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

templates/combustion.conf

@@ -0,0 +1,4 @@
+combustion_script_modules="$combustion_script_modules"
+combustion_install_packages="$combustion_install_packages"
+
+NTFY_TOPIC="$compustion_ntfy_topic"

templates/ignition.yaml

@@ -0,0 +1,43 @@
+variant: fcos
+version: 1.5.0
+
+storage:
+  filesystems:
+    - path: /home
+      device: /dev/disk/by-label/ROOT
+      format: btrfs
+      wipe_filesystem: false
+      mount_options:
+       - "subvol=/@/home"
+    # var is mounted by default: https://en.opensuse.org/Portal:MicroOS/Ignition#Mounts
+  trees:
+    - local: etc
+      path: /etc
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: "$ign_hostname"
+    - path: /etc/sudoers.d/$ign_user
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: "$ign_user ALL=(ALL) ALL" # NOPASSWD: ALL
+
+systemd:
+  units:
+    - name: firstbootreboot.service
+      enabled: true
+      contents_local: firstbootreboot.service
+
+passwd:
+  users:
+    - name: $ign_user
+      # hash, created with e.g. `openssl passwd -6` or `mkpasswd --method=yescrypt` from the whois package
+      password_hash: "$ign_password_hash"
+      ssh_authorized_keys:
+        - "$ign_ssh_public_key"
+      # ssh_authorized_keys_local:
+      #  - $ign_ssh_public_key_location
+

templates/sshd_server.conf

@@ -0,0 +1,5 @@
+# alternative port than the default 22, to avoid most scrape attempts
+Port $ign_sshd_port
+
+# allow only the following users to login
+AllowUsers $ign_user