aboutsummaryrefslogtreecommitdiffstats
path: root/tdf-postinst-udeb
diff options
context:
space:
mode:
Diffstat (limited to 'tdf-postinst-udeb')
-rw-r--r--tdf-postinst-udeb/debian/changelog5
-rw-r--r--tdf-postinst-udeb/debian/compat1
-rw-r--r--tdf-postinst-udeb/debian/control11
-rw-r--r--tdf-postinst-udeb/debian/copyright15
-rw-r--r--tdf-postinst-udeb/debian/install1
-rwxr-xr-xtdf-postinst-udeb/debian/rules4
-rw-r--r--tdf-postinst-udeb/debian/templates9
-rwxr-xr-xtdf-postinst-udeb/finish-install.d/07tdf-postinst115
8 files changed, 161 insertions, 0 deletions
diff --git a/tdf-postinst-udeb/debian/changelog b/tdf-postinst-udeb/debian/changelog
new file mode 100644
index 0000000..41eb167
--- /dev/null
+++ b/tdf-postinst-udeb/debian/changelog
@@ -0,0 +1,5 @@
+tdf-postinst-udeb (0.1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Guilhem Moulin <guilhem@libreoffice.org> Tue, 18 Oct 2016 19:23:23 +0200
diff --git a/tdf-postinst-udeb/debian/compat b/tdf-postinst-udeb/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/tdf-postinst-udeb/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/tdf-postinst-udeb/debian/control b/tdf-postinst-udeb/debian/control
new file mode 100644
index 0000000..2b1ff24
--- /dev/null
+++ b/tdf-postinst-udeb/debian/control
@@ -0,0 +1,11 @@
+Source: tdf-postinst-udeb
+Section: debian-installer
+Priority: optional
+Maintainer: Guilhem Moulin <guilhem@libreoffice.org>
+Build-Depends: debhelper (>= 9)
+
+Package: tdf-postinst-udeb
+XC-Package-Type: udeb
+Architecture: all
+Depends: ${misc:Depends}
+Description: Postinstall hook for TDF VMs setup
diff --git a/tdf-postinst-udeb/debian/copyright b/tdf-postinst-udeb/debian/copyright
new file mode 100644
index 0000000..409a651
--- /dev/null
+++ b/tdf-postinst-udeb/debian/copyright
@@ -0,0 +1,15 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: native package
+
+Files: *
+Copyright: © 2016 The Document Foundation <hostmaster@documentfoundation.org>
+License: GPL-3+
+
+License: GPL-3+
+ This package is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 3 can be found in file "/usr/share/common-licenses/GPL-3".
diff --git a/tdf-postinst-udeb/debian/install b/tdf-postinst-udeb/debian/install
new file mode 100644
index 0000000..d477454
--- /dev/null
+++ b/tdf-postinst-udeb/debian/install
@@ -0,0 +1 @@
+finish-install.d/* /usr/lib/finish-install.d
diff --git a/tdf-postinst-udeb/debian/rules b/tdf-postinst-udeb/debian/rules
new file mode 100755
index 0000000..2d33f6a
--- /dev/null
+++ b/tdf-postinst-udeb/debian/rules
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
diff --git a/tdf-postinst-udeb/debian/templates b/tdf-postinst-udeb/debian/templates
new file mode 100644
index 0000000..e56a68a
--- /dev/null
+++ b/tdf-postinst-udeb/debian/templates
@@ -0,0 +1,9 @@
+Template: tdf-postinst/salt_master
+Type: text
+Description: Hostname or ipv4 of the Salt master
+
+Template: tdf-postinst/salt_master_fingerprint
+Type: text
+Description: Salt master fingerprint
+ Fingerprint of the master public key to validate the identity of
+ the Salt master before the initial key exchange
diff --git a/tdf-postinst-udeb/finish-install.d/07tdf-postinst b/tdf-postinst-udeb/finish-install.d/07tdf-postinst
new file mode 100755
index 0000000..3b92d76
--- /dev/null
+++ b/tdf-postinst-udeb/finish-install.d/07tdf-postinst
@@ -0,0 +1,115 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule || true
+
+in-target modprobe 9pnet_virtio || true
+in-target modprobe 9p || true
+
+virtfs="$(mktemp -d)"
+mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true
+trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT
+
+
+#######################################################################
+# Configuration SSHd
+
+if [ -d /target/etc/ssh ]; then
+ in-target find /etc/ssh -maxdepth 1 -type f -a \
+ \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \
+ -delete
+ in-target ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key
+ in-target ssh-keygen -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key
+ for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do
+ cp -f "$pk" "$virtfs"
+ done
+
+ cat >/target/etc/ssh/sshd_config <<- EOF
+ # What ports, IPs and protocols we listen for
+ Port 22
+ # Use these options to restrict which interfaces/protocols sshd will
+ # bind to
+ #ListenAddress ::
+ #ListenAddress 0.0.0.0
+ Protocol 2
+ # HostKeys for protocol version 2
+ HostKey /etc/ssh/ssh_host_rsa_key
+ HostKey /etc/ssh/ssh_host_ed25519_key
+ #Privilege Separation is turned on for security
+ UsePrivilegeSeparation yes
+
+ # Logging
+ SyslogFacility AUTH
+ LogLevel INFO
+
+ # Authentication:
+ LoginGraceTime 120
+ PermitRootLogin without-password
+ StrictModes yes
+
+ PubkeyAuthentication yes
+ #AuthorizedKeysFile %h/.ssh/authorized_keys
+
+ # Change to yes to enable challenge-response passwords (beware issues
+ # with
+ # some PAM modules and threads)
+ ChallengeResponseAuthentication no
+
+ # Change to no to disable tunnelled clear text passwords
+ PasswordAuthentication no
+
+ X11Forwarding no
+ PrintMotd no
+ PrintLastLog yes
+ TCPKeepAlive yes
+
+ # Allow client to pass locale environment variables
+ AcceptEnv LANG LC_*
+
+ Subsystem sftp /usr/lib/openssh/sftp-server
+ EOF
+
+ if [ -f "/cdrom/authorized_keys" ]; then
+ authorized_keys="$(mktemp -p "/target/tmp")"
+ cat /cdrom/authorized_keys >"$authorized_keys"
+ authorized_keys="${authorized_keys#/target}"
+ if db_get passwd/username && [ "$RET" ]; then
+ username="$RET"
+ else
+ username="root"
+ fi
+ in-target sh -c "
+ install -m0700 -o $username -g $username --directory ~$username/.ssh
+ install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys
+ "
+ fi
+fi
+
+
+#######################################################################
+# Configure salt-minion
+
+if [ -d /target/etc/salt ]; then
+ in-target sh -c '
+ pkidir="/etc/salt/pki/minion"
+ mkdir -p -m0700 "$pkidir"
+
+ install -m0400 /dev/null "$pkidir/minion.pem"
+ openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem"
+
+ install -m0644 /dev/null "$pkidir/minion.pub"
+ openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub"
+
+ mkdir -p /etc/salt/minion.d
+ install -m0644 /dev/null /etc/salt/minion.d/999user.conf
+ '
+ if db_get tdf-postinst/salt_master && [ "$RET" ]; then
+ echo "master: $RET" >>/target/etc/salt/minion.d/999user.conf
+ fi
+ if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then
+ echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/999user.conf
+ fi
+ echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/999user.conf
+
+ cp /target/etc/salt/pki/minion/minion.pub "$virtfs"
+fi