Created
May 27, 2022 20:59
-
-
Save tavianator/6b00355cedae0b2ceb338e43ce8e5c1a to your computer and use it in GitHub Desktop.
Remote access mkinitcpio hook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| add_user() { | |
| getent passwd "$1" >>"$BUILDROOT/etc/passwd" | |
| getent shadow "$1" >>"$BUILDROOT/etc/shadow" | |
| getent group "$(id -Gn "$1")" >>"$BUILDROOT/etc/group" | |
| } | |
| build() { | |
| add_systemd_unit cryptsetup-pre.target | |
| # Add systemd-networkd.service and enable it | |
| add_systemd_unit systemd-networkd.service | |
| add_symlink /etc/systemd/system/sysinit.target.wants/systemd-networkd.service \ | |
| /usr/lib/systemd/system/systemd-networkd.service | |
| # Copy the host configuration | |
| add_full_dir /etc/systemd/network | |
| # Add the necessary modules | |
| add_checked_modules /drivers/net | |
| add_module bridge | |
| # Add the networking user | |
| add_user systemd-network | |
| # Add tailscaled.service and enable it | |
| add_systemd_unit tailscaled.service | |
| add_systemd_unit tailscaled.socket | |
| add_symlink /etc/systemd/system/sysinit.target.wants/tailscaled.service \ | |
| /usr/lib/systemd/system/tailscaled.service | |
| # Force tailscale to start early | |
| add_systemd_drop_in tailscaled.service order <<EOF | |
| [Unit] | |
| Wants=cryptsetup-pre.target | |
| Before=cryptsetup-pre.target | |
| DefaultDependencies=no | |
| EOF | |
| # Add tun | |
| add_module tun | |
| # Add iptables | |
| map add_binary ip{,6}tables | |
| add_full_dir /usr/lib/xtables | |
| add_all_modules netfilter | |
| # Add the tailscale CLI tool | |
| add_binary tailscale | |
| # Add tailscale configuration | |
| add_file /var/lib/tailscale/tailscaled.state | |
| add_file /etc/default/tailscaled | |
| # Add sshd.service and enable it | |
| add_systemd_unit sshd.service | |
| add_symlink /etc/systemd/system/sysinit.target.wants/sshd.service \ | |
| /usr/lib/systemd/system/sshd.service | |
| # Force sshd to start early | |
| add_systemd_drop_in sshd.service order <<EOF | |
| [Unit] | |
| Wants=cryptsetup-pre.target | |
| Before=cryptsetup-pre.target | |
| DefaultDependencies=no | |
| EOF | |
| # Required for sshd isolation | |
| add_user nobody | |
| add_dir /var/empty | |
| # Add ssh host keys and configuration | |
| add_full_dir /etc/ssh | |
| # Permit root logins in the initrd | |
| sed -Ei 's/^#?AllowUsers.*/AllowUsers root/' "$BUILDROOT/etc/ssh/sshd_config" | |
| sed -Ei 's/^#?PermitRootLogin.*/PermitRootLogin yes/' "$BUILDROOT/etc/ssh/sshd_config" | |
| # No PAM in the initrd | |
| sed -Ei 's/^#?UsePAM.*/UsePAM no/' "$BUILDROOT/etc/ssh/sshd_config" | |
| # Share authorized_keys with my normal user | |
| add_file /home/tavianator/.ssh/authorized_keys /root/.ssh/authorized_keys | |
| systemd-analyze verify --root="$BUILDROOT" default.target | |
| } | |
| help() { | |
| cat <<EOF | |
| Enables remote access into the initrd to unlock encrypted disks. | |
| EOF | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment