Add script to install new virtual machines.

1 files changed, 115 insertions, 0 deletions

diff --git a/tdf-postinst-udeb/finish-install.d/07tdf-postinst b/tdf-postinst-udeb/finish-install.d/07tdf-postinst
new file mode 100755
index 0000000..3b92d76
--- /dev/null
+++ b/tdf-postinst-udeb/finish-install.d/07tdf-postinst
@@ -0,0 +1,115 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule || true
+
+in-target modprobe 9pnet_virtio || true
+in-target modprobe 9p           || true
+
+virtfs="$(mktemp -d)"
+mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true
+trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT
+
+
+#######################################################################
+# Configuration SSHd
+
+if [ -d /target/etc/ssh ]; then
+    in-target find /etc/ssh -maxdepth 1 -type f -a \
+        \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \
+        -delete
+    in-target ssh-keygen -b 4096 -t rsa     -N '' -C /etc/ssh/ssh_host_rsa_key     -f /etc/ssh/ssh_host_rsa_key
+    in-target ssh-keygen         -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key
+    for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do
+        cp -f "$pk" "$virtfs"
+    done
+
+    cat >/target/etc/ssh/sshd_config <<- EOF
+		# What ports, IPs and protocols we listen for
+		Port 22
+		# Use these options to restrict which interfaces/protocols sshd will
+		# bind to
+		#ListenAddress ::
+		#ListenAddress 0.0.0.0
+		Protocol 2
+		# HostKeys for protocol version 2
+		HostKey /etc/ssh/ssh_host_rsa_key
+		HostKey /etc/ssh/ssh_host_ed25519_key
+		#Privilege Separation is turned on for security
+		UsePrivilegeSeparation yes
+
+		# Logging
+		SyslogFacility AUTH
+		LogLevel INFO
+
+		# Authentication:
+		LoginGraceTime 120
+		PermitRootLogin without-password
+		StrictModes yes
+
+		PubkeyAuthentication yes
+		#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+		# Change to yes to enable challenge-response passwords (beware issues
+		# with
+		# some PAM modules and threads)
+		ChallengeResponseAuthentication no
+
+		# Change to no to disable tunnelled clear text passwords
+		PasswordAuthentication no
+
+		X11Forwarding no
+		PrintMotd no
+		PrintLastLog yes
+		TCPKeepAlive yes
+
+		# Allow client to pass locale environment variables
+		AcceptEnv LANG LC_*
+
+		Subsystem sftp /usr/lib/openssh/sftp-server
+	EOF
+
+    if [ -f "/cdrom/authorized_keys" ]; then
+        authorized_keys="$(mktemp -p "/target/tmp")"
+        cat /cdrom/authorized_keys >"$authorized_keys"
+        authorized_keys="${authorized_keys#/target}"
+        if db_get passwd/username && [ "$RET" ]; then
+            username="$RET"
+        else
+            username="root"
+        fi
+        in-target sh -c "
+            install -m0700 -o $username -g $username --directory      ~$username/.ssh
+            install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys
+        "
+    fi
+fi
+
+
+#######################################################################
+# Configure salt-minion
+
+if [ -d /target/etc/salt ]; then
+    in-target sh -c '
+        pkidir="/etc/salt/pki/minion"
+        mkdir -p -m0700 "$pkidir"
+
+        install -m0400 /dev/null "$pkidir/minion.pem"
+        openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem"
+
+        install -m0644 /dev/null "$pkidir/minion.pub"
+        openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub"
+
+        mkdir -p /etc/salt/minion.d
+        install -m0644 /dev/null /etc/salt/minion.d/999user.conf
+    '
+    if db_get tdf-postinst/salt_master && [ "$RET" ]; then
+        echo "master: $RET" >>/target/etc/salt/minion.d/999user.conf
+    fi
+    if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then
+        echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/999user.conf
+    fi
+    echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/999user.conf
+
+    cp /target/etc/salt/pki/minion/minion.pub "$virtfs"
+fi