diff --git a/autoprovision.ks b/autoprovision.ks new file mode 100644 index 0000000..9727a9b --- /dev/null +++ b/autoprovision.ks @@ -0,0 +1,69 @@ +%post +cat > /root/.ssh/authorized_keys < /usr/local/libexec/notify-online.sh <<'EOF' +#!/bin/sh + +set -- \ + -F "hostname=$(hostname -f)" \ + -F 'sshkeys=<-;type=text/plain' + +fw_cfg=/sys/firmware/qemu_fw_cfg/by_name/opt/dch/cfg-branch/raw +if [ -r "${fw_cfg}" ]; then + set -- "$@" -F branch="$(cat "${fw_cfg}")" +fi + +cat /etc/ssh/ssh_host_*_key.pub \ +| curl -fsS https://webhooks.pyrocufflink.blue/host/online "$@" +EOF +chmod +x /usr/local/libexec/notify-online.sh + +cat > /etc/systemd/system/notify-online.service <<'EOF' +[Unit] +Description=Notify infrastructure services that this host is online +ConditionFirstBoot=yes +After=sshd.service +After=network-online.target +Wants=network-online.target +After=systemd-user-sessions.service + +[Service] +Type=exec +ExecStart=/usr/local/libexec/notify-online.sh +# Must run as root in order to read QEMU fw_config, so enable maximum +# sandbox restrictions. +CapabilityBoundingSet= +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable --no-reload notify-online.service +%end diff --git a/fedora.ks b/fedora.ks index ea5a103..14ee449 100644 --- a/fedora.ks +++ b/fedora.ks @@ -13,3 +13,5 @@ reqpart %packages qemu-guest-agent %end + +%include https://git.pyrocufflink.net/infra/kickstart/raw/branch/master/autoprovision.ks