Add support for persistent state, SSH

1 files changed, 100 insertions, 22 deletions

diff --git a/init b/init
index 9e1fad2..8714955 100755
--- a/init
+++ b/init
@@ -244,25 +244,6 @@ bind-interfaces
 dhcp-range=${priv_netbase}.10,${priv_netbase}.250,12h
 EOF
 
-# Configure Postfix.
-#
-cat <<<"$hname" >/etc/mailname
-
-sed -r -i \
- -e "s%^(myhostname).*%\1 = $hname%" \
- -e 's%^(mydestination).*%\1 = $myhostname, localhost.localdomain, localhost%' \
- -e 's%^(mynetworks).*%\1 = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128%' \
- -e "s%^(relayhost).*%\1 = $smtp_relay%" \
- /etc/postfix/main.cf
-
-# Make admin alias for buildos.admin_email, alias root as admin.
-#
-cat <<EOF >>/etc/aliases
-admin: $admin_email
-root: admin
-EOF
-newaliases
-
 # Figure out disk configuration and generate the corresponding /etc/fstab.
 #
 fstab=/etc/fstab
@@ -271,14 +252,15 @@ fstab=/etc/fstab
 echo -n '' >$fstab
 
 l=
+state=
 machines=
 while read l || [ -n "$l" ]; do
   d="$(sed -re 's/.*NAME=\"([^\"]+)\".*/\1/'   <<<"$l")"
   t="$(sed -re 's/.*FSTYPE=\"([^\"]*)\".*/\1/' <<<"$l")"
   l="$(sed -re 's/.*LABEL=\"([^\"]*)\".*/\1/'  <<<"$l")"
 
-  # Strip the buildos. prefix from the label. If the result is empty then
-  # this disk/patition hasn't been labeled for use by buildos.
+  # Strip the buildos prefix from the label. If the result is empty then this
+  # disk/patition hasn't been labeled for use by buildos.
   #
   l="$(sed -n -re 's/^buildos\.([^ ]+)$/\1/p' <<<"$l")"
 
@@ -286,6 +268,39 @@ while read l || [ -n "$l" ]; do
     continue
   fi
 
+  # Handle buildos.state.
+  #
+  if [ "$l" == "state" ]; then
+
+    if [ -n "$state" ]; then
+      error "multiple disks labeled with buildos.state"
+    fi
+
+    if [ -z "$t" ]; then
+      error "no filesystem on $d labeled with buildos.state"
+    fi
+
+    info "mounting $d (buildos.state) on /state as $t"
+
+    o="defaults,noatime"
+    echo "$d /state $t $o 0 0" >>$fstab
+
+    # Check it.
+    #
+    if ! fsck -n -t "$t" "$d"; then
+      info "$d (buildos.state) has errors; run fsck -t $type $d"
+      error
+    fi
+
+    # Mount it now since we need it below.
+    #
+    mkdir -p "/state"
+    mount -t "$t" -o "$o" "$d" /state
+
+    state="true"
+    continue
+  fi
+
   # Handle buildos.machines and buildos.machines.* mounts.
   #
   if [[ "$l" == "machines" ]] || [[ "$l" =~ "machines.".+ ]]; then
@@ -317,9 +332,10 @@ while read l || [ -n "$l" ]; do
 
     info "mounting $d (buildos.$l) on $m"
 
-    echo mkdir -p "$m"
+    mkdir -p "$m"
     o="defaults,noatime,nodiratime,user_subvol_rm_allowed"
     echo "$d $m btrfs $o 0 0" >>$fstab
+    continue
   fi
 done < <(lsblk --pairs --paths --output NAME,FSTYPE,LABEL)
 #done <<EOF
@@ -327,6 +343,13 @@ done < <(lsblk --pairs --paths --output NAME,FSTYPE,LABEL)
 #NAME="/dev/sdb" FSTYPE="btrfs" LABEL="buildos.machines.vol2"
 #EOF
 
+if [ -z "$state" ]; then
+  info "no disks labaled with buildos.state among:"
+  lsblk --paths --output NAME,TYPE,FSTYPE,SIZE,LABEL,UUID
+  info "consider formatting and/or labelling a suitable disk"
+  error
+fi
+
 if [ -z "$machines" ]; then
   info "no disks labaled with buildos.machines* among:"
   lsblk --paths --output NAME,TYPE,FSTYPE,SIZE,LABEL,UUID
@@ -334,6 +357,59 @@ if [ -z "$machines" ]; then
   error
 fi
 
+# Configure Postfix.
+#
+cat <<<"$hname" >/etc/mailname
+
+sed -r -i \
+ -e "s%^(myhostname).*%\1 = $hname%" \
+ -e 's%^(mydestination).*%\1 = $myhostname, localhost.localdomain, localhost%' \
+ -e 's%^(mynetworks).*%\1 = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128%' \
+ -e "s%^(relayhost).*%\1 = $smtp_relay%" \
+ /etc/postfix/main.cf
+
+# Make admin alias for buildos.admin_email, alias root as admin.
+#
+cat <<EOF >>/etc/aliases
+admin: $admin_email
+root: admin
+EOF
+newaliases
+
+# Configure OpenSSH server. Things that we do:
+#
+# - Change host key locations to (persistent) /state/etc/ssh/ and remove
+#   existing keys. If no corresponding key exists in /state, generate it.
+#
+# - Disable password authentication.
+#
+sed -r -i \
+  -e "s%^#?HostKey +(.+)%HostKey /state\1%" \
+  -e "s%^#?PasswordAuthentication.*%PasswordAuthentication no%" \
+ /etc/ssh/sshd_config
+
+# Generate missing keys.
+#
+mkdir -p /state/etc/ssh
+for k in $(echo /etc/ssh/ssh_host_*_key | \
+	      sed -re 's%/etc/ssh/ssh_host_([^_]+)_key%\1%g'); do
+  if [ ! -e "/state/etc/ssh/ssh_host_${k}_key" ]; then
+    ssh-keygen -N "" -t "$k" -f "/state/etc/ssh/ssh_host_${k}_key"
+  fi
+done
+rm -f /etc/ssh/ssh_host_*_key*
+
+# Add buildos.ssh_key to root's authorized_keys.
+#
+if [ -n "$ssh_key" ]; then
+  info "adding buildos.ssh_key to ~root/.ssh/authorized_keys"
+  mkdir -p /root/.ssh
+  chmod 700 /root/.ssh
+
+  echo "$ssh_key" >>/root/.ssh/authorized_keys
+  chmod 600 /root/.ssh/authorized_keys
+fi
+
 # Hand off to systemd. But first arrange to keep console output (which
 # becomes tty1).
 #
@@ -343,6 +419,8 @@ cat <<EOF >/etc/systemd/system/getty@tty1.service.d/noclear.conf
 TTYVTDisallocate=no
 EOF
 
+# Get rid of klibc tools.
+#
 export PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
 exec /lib/systemd/systemd \