mirror of
https://codeberg.org/privacy1st/arch
synced 2024-12-23 01:16:04 +01:00
build-iso: Add support for installation via ssh
This commit is contained in:
parent
9771b1f880
commit
599e23f05c
2
.gitignore
vendored
2
.gitignore
vendored
@ -8,5 +8,5 @@
|
||||
/pkg/*/*-x86_64-build.log
|
||||
/pkg/de-p1st-gnupg/duraconf/
|
||||
|
||||
/build-archiso/out/
|
||||
/build-iso/out/
|
||||
/build-pkg/out/
|
||||
|
2
.idea/arch.iml
generated
2
.idea/arch.iml
generated
@ -3,8 +3,8 @@
|
||||
<component name="NewModuleRootManager" inherit-compiler-output="true">
|
||||
<exclude-output />
|
||||
<content url="file://$MODULE_DIR$">
|
||||
<excludeFolder url="file://$MODULE_DIR$/build-archiso/out" />
|
||||
<excludeFolder url="file://$MODULE_DIR$/build-pkg/out" />
|
||||
<excludeFolder url="file://$MODULE_DIR$/build-iso/out" />
|
||||
</content>
|
||||
<orderEntry type="inheritedJdk" />
|
||||
<orderEntry type="sourceFolder" forTests="false" />
|
||||
|
@ -145,6 +145,7 @@ Enter a number (default=1):
|
||||
* de-p1st-pacman -> ungoogled-chromium
|
||||
* https://github.com/ungoogled-software/ungoogled-chromium-archlinux#open-build-service-repository
|
||||
* for each PKG: built with docker then sign wit pgp
|
||||
* signed package db
|
||||
* build for multiple architectures
|
||||
* https://ownyourbits.com/2018/06/27/running-and-building-arm-docker-containers-in-x86/
|
||||
* https://ownyourbits.com/2018/06/27/running-and-building-arm-docker-containers-in-x86/#comment-19124
|
||||
|
@ -1,87 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
BUILD_DIR=/out
|
||||
|
||||
PKGS=()
|
||||
PKGS+=('de-p1st-keyboard') # german keyboard
|
||||
PKGS+=('de-p1st-nano') # syntax hilighting in nano
|
||||
PKGS+=('de-p1st-screen') # longer scrollback history in screen
|
||||
PKGS+=('de-p1st-pacman') # [de-p1st] mirror enabled
|
||||
PKGS+=('de-p1st-installer') # de-p1st-installer script
|
||||
|
||||
ENABLE_SSH=true
|
||||
SSH_PUB_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpgihAg8Qzu5q+AGXHLR7p+rrS1yB0KlZb/Y/EwZT15EhEtsUMqBMRiY0TdjKQU0broyygZnymccLmCXvihEgk3zk/hP8VEDmN5wmE2tRBPR4lSjo8E1R8N79G+gaFkwi93QYh57MsGfa9k4tvGrJy0yaD7GrPqtQf+IIuvV14WJQAqnikTdbFqRjk5JGearYLU7jSKa+9NmR7JQ9NExoyIPgmQ/pd0Xc2qt8k5UGfz3HM9MAmIVQ30whK6m1iYZ8nxEidHrfreQx8NOa7ujo4zQnV1NYvRUjObr/qyIhPU6DYLT2mVRNupQFKx6LI38O4U13heugUFqJ3zvog3aDsriFiv8jzJAJvWXx7Q3TqKhqiG9VTkwBw1NDbCAOXKiEdMfiCYbdCfpNgdepU75bMloJcSQQVUqoH2tQhSbwKLuRFgOnyaHpvWbieXBRcUnfG8gg4p4jqiwx5laweEeOIOD/i7G1Mjx7Dj2ctnT/ILat/xsf+Y0W4eJr3bc5L9ghgw6wsKbNSqwjFUCFcHcARK3gvSH+hO2/BpgMVoyvZjO5PNuUqfsZ7bIIs5cDdyB/ly3irKuaRz1+3x1x4gPgSiOcji7HxPwogzhPsyfoRLHNt9tJ5X4nF2Iz1M5RTJpbZCi6yEj+9Q85FVjD76BEWuZe18kRrwhuLf/XgKdF9tQ== openpgp:0xA8B75370'
|
||||
|
||||
################################
|
||||
|
||||
# Write-permission for user "build"
|
||||
sudo chown "build:wheel" /out
|
||||
|
||||
function isEmptyDir() {
|
||||
# arg $1: directory to check
|
||||
|
||||
if [ -z "$(find "${1}" -maxdepth 0 -type d -empty 2>/dev/null)" ]; then
|
||||
# echo "Not empty or NOT a directory"
|
||||
return 1
|
||||
else
|
||||
# "Empty directory"
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if [ -d "${BUILD_DIR}" ]; then
|
||||
if ! isEmptyDir "${BUILD_DIR}"; then
|
||||
if [ "$1" = "clean" ]; then
|
||||
sudo rm -r "${BUILD_DIR}"/* || exit $?
|
||||
else
|
||||
echo "BUILD_DIR not empty: ${BUILD_DIR}";
|
||||
echo "Run with argument 'clean' to clean up BUILD_DIR and then continue building the ISO."
|
||||
exit 1;
|
||||
fi
|
||||
fi # else: BUILD_DIR exists and is empty :)
|
||||
elif ! mkdir -p "${BUILD_DIR}"; then
|
||||
echo "Could not create BUILD_DIR: ${BUILD_DIR}";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
|
||||
# The releng profile is used to create the official monthly installation ISO
|
||||
PROFILE=/usr/share/archiso/configs/releng/
|
||||
if [ ! -d "${PROFILE}" ]; then
|
||||
echo "Dependency 'archiso' is missing. Please install this first!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cp -r "$PROFILE" "$BUILD_DIR"/profile || exit $?
|
||||
|
||||
# extend the builder's pacman.conf (add de-p1st mirrors)
|
||||
# https://wiki.archlinux.org/index.php/Archiso#Custom_local_repository
|
||||
# cat ../pkg/de-p1st-pacman/pacman.d/de-p1st >>"$BUILD_DIR"/profile/pacman.conf || exit $?
|
||||
echo '[de-p1st]
|
||||
SigLevel = Optional TrustAll
|
||||
Server = https://arch.p1st.de' | sudo tee -a "$BUILD_DIR"/profile/pacman.conf || exit $?
|
||||
|
||||
for PKG in "${PKGS[@]}"; do
|
||||
echo "${PKG}" >>"${BUILD_DIR}"/profile/packages.x86_64
|
||||
done
|
||||
|
||||
# source: https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/configs/releng/airootfs/etc/motd
|
||||
echo 'To install [38;2;23;147;209mArch Linux[0m run the following command:
|
||||
[35mde-p1st-installer[0m
|
||||
|
||||
|
||||
|
||||
For Wi-Fi, authenticate to the wireless network using the [35miwctl[0m utility.
|
||||
For mobile broadband (WWAN) modems, connect with the [35mmmcli[0m utility.
|
||||
Ethernet, WLAN and WWAN interfaces using DHCP should work automatically.
|
||||
' > "${BUILD_DIR}"/profile/airootfs/etc/motd || exit $?
|
||||
|
||||
###
|
||||
|
||||
mkdir "${BUILD_DIR}/work_dir" && mkdir "${BUILD_DIR}/out_dir" || exit $?
|
||||
|
||||
echo "running 'sudo mkarchiso' ..."
|
||||
sudo mkarchiso -v -w "${BUILD_DIR}/work_dir" -o "${BUILD_DIR}/out_dir" "${BUILD_DIR}/profile" || exit $?
|
||||
|
||||
sudo chown -R "build:wheel" /out/out_dir
|
@ -8,7 +8,7 @@ FROM archlinux:base-devel
|
||||
RUN printf '\n[de-p1st]\nSigLevel = Optional TrustAll\nServer = https://arch.p1st.de\n' >> /etc/pacman.conf
|
||||
# ... and update mirrors + packages
|
||||
RUN pacman -Syu --noconfirm && \
|
||||
pacman -S --noconfirm archiso
|
||||
pacman -S --noconfirm archiso openssh
|
||||
|
||||
# Set packager
|
||||
RUN sed --in-place 's|^#PACKAGER=.*$|PACKAGER="Daniel Langbein <daniel@systemli.org>"|' /etc/makepkg.conf
|
160
build-iso/run.sh
Executable file
160
build-iso/run.sh
Executable file
@ -0,0 +1,160 @@
|
||||
#!/bin/bash
|
||||
|
||||
BUILD_DIR=/out
|
||||
|
||||
PKGS=()
|
||||
PKGS+=('de-p1st-keyboard') # german keyboard
|
||||
PKGS+=('de-p1st-nano') # syntax hilighting in nano
|
||||
PKGS+=('de-p1st-screen') # longer scrollback history in screen
|
||||
PKGS+=('de-p1st-pacman') # [de-p1st] mirror enabled
|
||||
PKGS+=('de-p1st-installer') # de-p1st-installer script
|
||||
|
||||
# Uncomment/remove these two lines to disable password-less ssh
|
||||
ENABLE_SSH=true
|
||||
SSH_PUB_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpgihAg8Qzu5q+AGXHLR7p+rrS1yB0KlZb/Y/EwZT15EhEtsUMqBMRiY0TdjKQU0broyygZnymccLmCXvihEgk3zk/hP8VEDmN5wmE2tRBPR4lSjo8E1R8N79G+gaFkwi93QYh57MsGfa9k4tvGrJy0yaD7GrPqtQf+IIuvV14WJQAqnikTdbFqRjk5JGearYLU7jSKa+9NmR7JQ9NExoyIPgmQ/pd0Xc2qt8k5UGfz3HM9MAmIVQ30whK6m1iYZ8nxEidHrfreQx8NOa7ujo4zQnV1NYvRUjObr/qyIhPU6DYLT2mVRNupQFKx6LI38O4U13heugUFqJ3zvog3aDsriFiv8jzJAJvWXx7Q3TqKhqiG9VTkwBw1NDbCAOXKiEdMfiCYbdCfpNgdepU75bMloJcSQQVUqoH2tQhSbwKLuRFgOnyaHpvWbieXBRcUnfG8gg4p4jqiwx5laweEeOIOD/i7G1Mjx7Dj2ctnT/ILat/xsf+Y0W4eJr3bc5L9ghgw6wsKbNSqwjFUCFcHcARK3gvSH+hO2/BpgMVoyvZjO5PNuUqfsZ7bIIs5cDdyB/ly3irKuaRz1+3x1x4gPgSiOcji7HxPwogzhPsyfoRLHNt9tJ5X4nF2Iz1M5RTJpbZCi6yEj+9Q85FVjD76BEWuZe18kRrwhuLf/XgKdF9tQ== openpgp:0xA8B75370'
|
||||
|
||||
ISO_PUBLISHER='Daniel Langbein <https://codeberg.org/privacy1st/arch>'
|
||||
ISO_LABEL='ARCH-P1ST_$(date +%Y%m%d)'
|
||||
ISO_NAME="arch-p1st"
|
||||
|
||||
################################
|
||||
|
||||
# Write-permission for user "build"
|
||||
sudo chown "build:wheel" "${BUILD_DIR}"
|
||||
|
||||
function isEmptyDir() {
|
||||
# arg $1: directory to check
|
||||
|
||||
if [ -z "$(find "${1}" -maxdepth 0 -type d -empty 2>/dev/null)" ]; then
|
||||
# echo "Not empty or NOT a directory"
|
||||
return 1
|
||||
else
|
||||
# "Empty directory"
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if [ -d "${BUILD_DIR}" ]; then
|
||||
if ! isEmptyDir "${BUILD_DIR}"; then
|
||||
if [ "$1" = "clean" ]; then
|
||||
sudo rm -r "${BUILD_DIR}"/* || exit $?
|
||||
else
|
||||
echo "BUILD_DIR not empty: ${BUILD_DIR}";
|
||||
echo "Run with argument 'clean' to clean up BUILD_DIR and then continue building the ISO."
|
||||
exit 1;
|
||||
fi
|
||||
fi # else: BUILD_DIR exists and is empty :)
|
||||
elif ! mkdir -p "${BUILD_DIR}"; then
|
||||
echo "Could not create BUILD_DIR: ${BUILD_DIR}";
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
|
||||
# The releng profile is used to create the official monthly installation ISO
|
||||
PROFILE=/usr/share/archiso/configs/releng/
|
||||
if [ ! -d "${PROFILE}" ]; then
|
||||
echo "Dependency 'archiso' is missing. Please install this first!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cp -r "$PROFILE" "$BUILD_DIR"/profile || exit $?
|
||||
|
||||
# Extend the builder's pacman.conf (add de-p1st mirrors)
|
||||
# so that packages from [de-p1st] can be installed into the ISO
|
||||
# https://wiki.archlinux.org/index.php/Archiso#Custom_local_repository
|
||||
#
|
||||
# cat ../pkg/de-p1st-pacman/pacman.d/de-p1st >>"$BUILD_DIR"/profile/pacman.conf || exit $?
|
||||
echo '[de-p1st]
|
||||
SigLevel = Optional TrustAll
|
||||
Server = https://arch.p1st.de' >> "$BUILD_DIR"/profile/pacman.conf || exit $?
|
||||
|
||||
for PKG in "${PKGS[@]}"; do
|
||||
echo "${PKG}" >>"${BUILD_DIR}"/profile/packages.x86_64 || exit $?
|
||||
done
|
||||
|
||||
|
||||
if [ "${ENABLE_SSH}" = "true" ]; then
|
||||
MOTD_SSH_NOTE="
|
||||
The installation can be done via ssh. See [35m.ssh/authorized_keys[0m.
|
||||
"
|
||||
else
|
||||
MOTD_SSH_NOTE=""
|
||||
fi
|
||||
|
||||
# source: https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/configs/releng/airootfs/etc/motd
|
||||
echo "To install [38;2;23;147;209mArch Linux[0m run the following command:
|
||||
[35mde-p1st-installer[0m
|
||||
${MOTD_SSH_NOTE}
|
||||
For Wi-Fi, authenticate to the wireless network using the [35miwctl[0m utility.
|
||||
For mobile broadband (WWAN) modems, connect with the [35mmmcli[0m utility.
|
||||
Ethernet, WLAN and WWAN interfaces using DHCP should work automatically.
|
||||
" > "${BUILD_DIR}"/profile/airootfs/etc/motd || exit $?
|
||||
|
||||
|
||||
if [ "${ENABLE_SSH}" = "true" ]; then
|
||||
# Enabling sshd.service is not necessary for the releng profile: It is enabled by default.
|
||||
# (Although one has to first set a password before he can connect via ssh.
|
||||
# See: https://wiki.archlinux.org/title/Install_Arch_Linux_via_SSH
|
||||
#
|
||||
# We will prepare the ISO for passwordless installation via ssh.
|
||||
# See: https://wiki.archlinux.org/title/Archiso#Prepare_an_ISO_for_an_installation_via_SSH
|
||||
# And we will (optionally) use a custom sshd_config file
|
||||
|
||||
# Overwrite the ssh configuration file of the releng profile
|
||||
# It is **important** to allow root login here!
|
||||
echo 'PermitRootLogin yes
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding no
|
||||
PrintMotd no # pam does that
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server' > "${BUILD_DIR}"/profile/airootfs/etc/ssh/sshd_config || exit $?
|
||||
|
||||
# Create authorized_keys file for root so that one can ssh into that user
|
||||
mkdir -p "${BUILD_DIR}"/profile/airootfs/root/.ssh/ || exit $?
|
||||
echo "${SSH_PUB_KEY}" > "${BUILD_DIR}"/profile/airootfs/root/.ssh/authorized_keys || exit $?
|
||||
# Set correct file permissions.
|
||||
echo 'file_permissions+=(
|
||||
["/root/.ssh"]="0:0:0700"
|
||||
["/root/.ssh/authorized_keys"]="0:0:0600"
|
||||
)' >> "${BUILD_DIR}"/profile/profiledef.sh || exit $?
|
||||
|
||||
# Manually create ssh host key files.
|
||||
# Usually this is done during first boot of the ISO,
|
||||
# but we want to know the key fingerprints!
|
||||
# See also: https://serverfault.com/a/471346
|
||||
ssh-keygen -N "" -t dsa -f "${BUILD_DIR}"/profile/airootfs/etc/ssh/ssh_host_dsa_key || exit $?
|
||||
ssh-keygen -N "" -t rsa -b 4096 -f "${BUILD_DIR}"/profile/airootfs/etc/ssh/ssh_host_rsa_key || exit $?
|
||||
ssh-keygen -N "" -t ecdsa -f "${BUILD_DIR}"/profile/airootfs/etc/ssh/ssh_host_ecdsa_key || exit $?
|
||||
ssh-keygen -N "" -t ed25519 -f "${BUILD_DIR}"/profile/airootfs/etc/ssh/ssh_host_ed25519_key || exit $?
|
||||
|
||||
# Save ssh host fingerprints next to the ISO file
|
||||
for f in "${BUILD_DIR}"/profile/airootfs/etc/ssh/ssh_host_*_key; do
|
||||
ssh-keygen -l -f "$f" >> "${BUILD_DIR}/out_dir/ssh-host-fingerprints" || exit $?
|
||||
done
|
||||
|
||||
# Enable sshd.service
|
||||
# https://wiki.archlinux.org/title/Archiso#systemd_units
|
||||
# mkdir -p "${BUILD_DIR}"/profile/airootfs/etc/systemd/system/multi-user.target.wants/ || exit $?
|
||||
# ln -s /usr/lib/systemd/system/sshd.service \
|
||||
# "${BUILD_DIR}"/profile/airootfs/etc/systemd/system/multi-user.target.wants/ || exit $?
|
||||
fi
|
||||
|
||||
|
||||
# Replace the "iso_publisher", "iso_label" and "iso_name"
|
||||
sed -i "s|^iso_publisher=.*\$|iso_publisher=\"${ISO_PUBLISHER}\"|" "${BUILD_DIR}"/profile/profiledef.sh || exit $?
|
||||
sed -i "s|^iso_label=.*\$|iso_label=\"${ISO_LABEL}\"|" "${BUILD_DIR}"/profile/profiledef.sh || exit $?
|
||||
sed -i "s|^iso_name=.*\$|iso_name=\"${ISO_NAME}\"|" "${BUILD_DIR}"/profile/profiledef.sh || exit $?
|
||||
|
||||
################################
|
||||
|
||||
mkdir "${BUILD_DIR}/work_dir" && mkdir "${BUILD_DIR}/out_dir" || exit $?
|
||||
|
||||
echo "running 'sudo mkarchiso' ..."
|
||||
sudo mkarchiso -v -w "${BUILD_DIR}/work_dir" -o "${BUILD_DIR}/out_dir" "${BUILD_DIR}/profile" || exit $?
|
||||
|
||||
sudo chown -R "build:wheel" "${BUILD_DIR}/out_dir" || exit $?
|
Loading…
Reference in New Issue
Block a user