From a4d0ccb56bf9b426f69d70c185d680b08b9bd25c Mon Sep 17 00:00:00 2001 From: Tom Barrett Date: Tue, 27 Apr 2021 10:29:38 +0200 Subject: start with baseline --- airootfs/etc/mkinitcpio.conf | 70 +++++++++++++ airootfs/etc/mkinitcpio.d/linux.preset | 11 ++ airootfs/etc/shadow | 1 + airootfs/etc/ssh/sshd_config | 116 +++++++++++++++++++++ airootfs/etc/systemd/network/20-ethernet.network | 13 +++ .../cloud-init.target.wants/cloud-config.service | 1 + .../cloud-init.target.wants/cloud-final.service | 1 + .../cloud-init-local.service | 1 + .../cloud-init.target.wants/cloud-init.service | 1 + .../system/multi-user.target.wants/sshd.service | 1 + .../systemd-networkd.service | 1 + .../systemd-resolved.service | 1 + .../systemd-networkd-wait-online.service | 1 + .../sockets.target.wants/systemd-networkd.socket | 1 + .../wait-for-only-one-interface.conf | 5 + 15 files changed, 225 insertions(+) create mode 100644 airootfs/etc/mkinitcpio.conf create mode 100644 airootfs/etc/mkinitcpio.d/linux.preset create mode 100644 airootfs/etc/shadow create mode 100644 airootfs/etc/ssh/sshd_config create mode 100644 airootfs/etc/systemd/network/20-ethernet.network create mode 120000 airootfs/etc/systemd/system/cloud-init.target.wants/cloud-config.service create mode 120000 airootfs/etc/systemd/system/cloud-init.target.wants/cloud-final.service create mode 120000 airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-local.service create mode 120000 airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service create mode 120000 airootfs/etc/systemd/system/multi-user.target.wants/sshd.service create mode 120000 airootfs/etc/systemd/system/multi-user.target.wants/systemd-networkd.service create mode 120000 airootfs/etc/systemd/system/multi-user.target.wants/systemd-resolved.service create mode 120000 airootfs/etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service create mode 120000 airootfs/etc/systemd/system/sockets.target.wants/systemd-networkd.socket create mode 100644 airootfs/etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf (limited to 'airootfs') diff --git a/airootfs/etc/mkinitcpio.conf b/airootfs/etc/mkinitcpio.conf new file mode 100644 index 0000000..4b7b7fb --- /dev/null +++ b/airootfs/etc/mkinitcpio.conf @@ -0,0 +1,70 @@ +# +# SPDX-License-Identifier: GPL-3.0-or-later + +# vim:set ft=sh +# MODULES +# The following modules are loaded before any boot hooks are +# run. Advanced users may wish to specify all system modules +# in this array. For instance: +# MODULES=(piix ide_disk reiserfs) +MODULES=() + +# BINARIES +# This setting includes any additional binaries a given user may +# wish into the CPIO image. This is run last, so it may be used to +# override the actual binaries included by a given hook +# BINARIES are dependency parsed, so you may safely ignore libraries +BINARIES=() + +# FILES +# This setting is similar to BINARIES above, however, files are added +# as-is and are not parsed in any way. This is useful for config files. +FILES=() + +# HOOKS +# This is the most important setting in this file. The HOOKS control the +# modules and scripts added to the image, and what happens at boot time. +# Order is important, and it is recommended that you do not change the +# order in which HOOKS are added. Run 'mkinitcpio -H ' for +# help on a given hook. +# 'base' is _required_ unless you know precisely what you are doing. +# 'udev' is _required_ in order to automatically load modules +# 'filesystems' is _required_ unless you specify your fs modules in MODULES +# Examples: +## This setup specifies all modules in the MODULES setting above. +## No raid, lvm2, or encrypted root is needed. +# HOOKS=(base) +# +## This setup will autodetect all modules for your system and should +## work as a sane default +# HOOKS=(base udev autodetect block filesystems) +# +## This setup will generate a 'full' image which supports most systems. +## No autodetection is done. +# HOOKS=(base udev block filesystems) +# +## This setup assembles a pata mdadm array with an encrypted root FS. +## Note: See 'mkinitcpio -H mdadm' for more information on raid devices. +# HOOKS=(base udev block mdadm encrypt filesystems) +# +## This setup loads an lvm2 volume group on a usb device. +# HOOKS=(base udev block lvm2 filesystems) +# +## NOTE: If you have /usr on a separate partition, you MUST include the +# usr, fsck and shutdown hooks. +HOOKS=(base udev modconf archiso block filesystems) + +# COMPRESSION +# Use this to compress the initramfs image. By default, gzip compression +# is used. Use 'cat' to create an uncompressed image. +#COMPRESSION="gzip" +#COMPRESSION="bzip2" +#COMPRESSION="lzma" +#COMPRESSION="xz" +#COMPRESSION="lzop" +#COMPRESSION="lz4" +#COMPRESSION="zstd" + +# COMPRESSION_OPTIONS +# Additional options for the compressor +#COMPRESSION_OPTIONS=() diff --git a/airootfs/etc/mkinitcpio.d/linux.preset b/airootfs/etc/mkinitcpio.d/linux.preset new file mode 100644 index 0000000..d35f137 --- /dev/null +++ b/airootfs/etc/mkinitcpio.d/linux.preset @@ -0,0 +1,11 @@ +# +# SPDX-License-Identifier: GPL-3.0-or-later + +# mkinitcpio preset file for the 'linux' package on archiso + +PRESETS=('archiso') + +ALL_kver='/boot/vmlinuz-linux' +ALL_config='/etc/mkinitcpio.conf' + +archiso_image="/boot/initramfs-linux.img" diff --git a/airootfs/etc/shadow b/airootfs/etc/shadow new file mode 100644 index 0000000..7edfd69 --- /dev/null +++ b/airootfs/etc/shadow @@ -0,0 +1 @@ +root::14871:::::: diff --git a/airootfs/etc/ssh/sshd_config b/airootfs/etc/ssh/sshd_config new file mode 100644 index 0000000..8ef1758 --- /dev/null +++ b/airootfs/etc/ssh/sshd_config @@ -0,0 +1,116 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/airootfs/etc/systemd/network/20-ethernet.network b/airootfs/etc/systemd/network/20-ethernet.network new file mode 100644 index 0000000..efa309c --- /dev/null +++ b/airootfs/etc/systemd/network/20-ethernet.network @@ -0,0 +1,13 @@ +# +# SPDX-License-Identifier: GPL-3.0-or-later + +[Match] +Name=en* +Name=eth* + +[Network] +DHCP=yes +IPv6PrivacyExtensions=yes + +[DHCP] +RouteMetric=512 diff --git a/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-config.service b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-config.service new file mode 120000 index 0000000..ebc50f0 --- /dev/null +++ b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-config.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/cloud-config.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-final.service b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-final.service new file mode 120000 index 0000000..80fa3c8 --- /dev/null +++ b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-final.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/cloud-final.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-local.service b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-local.service new file mode 120000 index 0000000..dd8e9f1 --- /dev/null +++ b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-local.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/cloud-init-local.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service new file mode 120000 index 0000000..24c7a26 --- /dev/null +++ b/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/cloud-init.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service b/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service new file mode 120000 index 0000000..d21ebd9 --- /dev/null +++ b/airootfs/etc/systemd/system/multi-user.target.wants/sshd.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/sshd.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/multi-user.target.wants/systemd-networkd.service b/airootfs/etc/systemd/system/multi-user.target.wants/systemd-networkd.service new file mode 120000 index 0000000..4c158e6 --- /dev/null +++ b/airootfs/etc/systemd/system/multi-user.target.wants/systemd-networkd.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/systemd-networkd.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/multi-user.target.wants/systemd-resolved.service b/airootfs/etc/systemd/system/multi-user.target.wants/systemd-resolved.service new file mode 120000 index 0000000..4f6ae34 --- /dev/null +++ b/airootfs/etc/systemd/system/multi-user.target.wants/systemd-resolved.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/systemd-resolved.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service b/airootfs/etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service new file mode 120000 index 0000000..7d6ad92 --- /dev/null +++ b/airootfs/etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/systemd-networkd-wait-online.service \ No newline at end of file diff --git a/airootfs/etc/systemd/system/sockets.target.wants/systemd-networkd.socket b/airootfs/etc/systemd/system/sockets.target.wants/systemd-networkd.socket new file mode 120000 index 0000000..51942c8 --- /dev/null +++ b/airootfs/etc/systemd/system/sockets.target.wants/systemd-networkd.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/systemd-networkd.socket \ No newline at end of file diff --git a/airootfs/etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf b/airootfs/etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf new file mode 100644 index 0000000..a4d7442 --- /dev/null +++ b/airootfs/etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf @@ -0,0 +1,5 @@ +# +# SPDX-License-Identifier: GPL-3.0-or-later + +[Service] +ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --any -- cgit v1.2.3