Initial commit

2024-01-25 07:47:14 -06:00 · 2024-01-25 07:47:14 -06:00 · 05577b5c91
commit 05577b5c91
9 changed files with 182 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,6 @@
 authorized_keys
 entries/
 entries.tar
 *.img
 *.raw
 *.raw.xz
--- a/README.md
+++ b/README.md
@ -0,0 +1,38 @@
 # Serial Pi
 Download and extract Fedora Minimal image:
 ```sh
 curl -fLO 'https://dl.fedoraproject.org/pub/fedora-secondary/releases/39/Spins/aarch64/images/Fedora-Minimal-39-1.5.aarch64.raw.xz'
 unxz Fedora-Minimal-39-1.5.aarch64.raw.xz
 ```
 Resize the disk to match the SD card:
 ```sh
 truncate -s $((31291392 * 512)) serialpi.img
 virt-resize --expand /dev/sda3 --no-expand-content Fedora-Minimal-39-1.5.aarch64.raw serialpi.img
 ```
 The `--no-expand-content` argument is necessary because otherwise,
 `virt-resize` fails with an error, as the ext4 filesystem in the image uses
 features it does not support.
 Populate `authorized_keys`:
 ```sh
 cp ~/.ssh/id_ed25519_sk.pub authorized_keys
 ```
 Customize with `guestfish`:
 ```sh
 guestfish -a serialpi.img -f customize.guestfish
 ```
 Write image to SD card:
 ```sh
 pv serialpi.img | dd of=/dev/disk/by-id/usb-Generic_STORAGE_DEVICE_000000001206-0:0 bs=1M oflag=sync conv=sparse
 ```
--- a/chrony-wait.service
+++ b/chrony-wait.service
@ -0,0 +1,47 @@
 [Unit]
 Description=Wait for chrony to synchronize system clock
 Documentation=man:chronyc(1)
 After=chrony.service chronyd.service
 After=network-online.target
 Before=time-sync.target
 Wants=time-sync.target
 Wants=network-online.target
 [Service]
 Type=oneshot
 # Wait for chronyd to update the clock and the remaining
 # correction to be less than 0.1 seconds
 ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
 TimeoutStartSec=5m
 RemainAfterExit=yes
 StandardOutput=null
 CapabilityBoundingSet=
 DevicePolicy=closed
 DynamicUser=yes
 IPAddressAllow=localhost
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 PrivateDevices=yes
 PrivateUsers=yes
 ProcSubset=pid
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged @resources
 UMask=0777
 [Install]
 WantedBy=time-sync.target
--- a/customize.guestfish
+++ b/customize.guestfish
@ -0,0 +1,40 @@
 #/usr/bin/guestfish -f
 run
 mount /dev/sda3 /
 mount /dev/sda2 /boot
 mount /dev/sda1 /boot/efi
 !rm -rf entries
 !mkdir entries
 tar-out /boot/loader/entries - | tar -C entries -x
 !sed -i '/options/s/\bro\b/rw/' entries/*.conf
 !tar -cf entries.tar -C entries .
 tar-in entries.tar /boot/loader/entries
 !rm -rf entries.tar entries
 write-append /boot/efi/config.txt dtoverlay=disable-bt
 write-append /boot/efi/config.txt dtoverlay=disable-wifi
 write /etc/hostname serial1.pyrocufflink.blue
 write /etc/machine-id uninitialized
 write /etc/sysconfig/ssh-host-cert-sign SSHCA_SERVER=https://sshca.pyrocufflink.blue
 upload ssh-host-certificate.conf /etc/ssh/sshd_config.d/10-hostcertificate.conf
 upload authorized_keys /root/.ssh/authorized_keys
 rm-f /etc/systemd/system/multi-user.target.wants/initial-setup.service
 mkdir-p /etc/systemd/system-preset
 upload serialpi.preset /etc/systemd/system-preset/50-serialpi.preset
 upload chrony-wait.service /etc/systemd/system/chrony-wait.service
 mkdir-p /etc/systemd/system/time-sync.target.wants
 upload dch.repo /etc/yum.repos.d/dch.repo
 upload dch-firstboot.sh /usr/local/libexec/dch-firstboot.sh
 chmod 0755 /usr/local/libexec/dch-firstboot.sh
 upload dch-firstboot.service /etc/systemd/system/dch-firstboot.service
 selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts /
--- a/dch-firstboot.service
+++ b/dch-firstboot.service
@ -0,0 +1,16 @@
 [Unit]
 After=network-online.target
 Wants=network-online.target
 Wants=time-sync.target
 After=time-sync.target
 Wants=systemd-growfs-root.service
 After=systemd-growfs-root.service
 [Service]
 Type=idle
 ExecStart=/usr/local/libexec/dch-firstboot.sh
 ExecStartPost=-/usr/bin/systemctl disable %n
 StandardOutput=journal+console
 [Install]
 WantedBy=multi-user.target
--- a/dch-firstboot.sh
+++ b/dch-firstboot.sh
@ -0,0 +1,15 @@
 #!/bin/sh
 dnf install -y \
 	picocom \
 	sshca-cli-systemd \
 	tmux \
 	&& :
 systemctl enable --now ssh-host-certs-renew.timer
 systemctl start ssh-host-certs.target
 useradd -G dialout,wheel dustin
 install -o dustin -g dustin -m u=rwx,go= -d ~dustin/.ssh
 cp ~root/.ssh/authorized_keys ~dustin/.ssh/authorized_keys
--- a/dch.repo
+++ b/dch.repo
@ -0,0 +1,6 @@
 [dch]
 name=DCH - Fedora $releasever
 baseurl=https://files.pyrocufflink.blue/yum/dch/fedora/$releasever
 gpgkey=https://files.pyrocufflink.blue/yum/dch/gnupg.pub
 gpgcheck=1
 skip_if_unavailable=true
--- a/serialpi.preset
+++ b/serialpi.preset
@ -0,0 +1,11 @@
 enable dch-firstboot.service
 enable chrony-wait.service
 disable pcscd.socket
 disable sssd-kcm.socket
 disable systemd-homed.service
 disable systemd-userdbd.*
 disable udisks2.service
 disable dnf-makecache.timer
--- a/ssh-host-certificate.conf
+++ b/ssh-host-certificate.conf
@ -0,0 +1,3 @@
 HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
 HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
 HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub