Merge pull request #26 from joshpearce/feature/ubuntu-initramfs-tools

Ubuntu initramfs tools&template

ubuntu/README.md

@@ -0,0 +1,12 @@
+# Hoopsnake initramfs package
+
+## Building & installing
+1. Build hoopsnake, `go build -o hoopsnake cmd/hoopsnake/main.go`
+2. Copy files from `ubuntu/etc/hoopsnake/initramfs` and `ubuntu/usr/share/initramfs-tools` to their respective locations in the FHS.
+3. Edit `/usr/share/initramfs-tools/conf-hooks.d/hoopsnake` to configure the options used when building initrd.
+4. Edit `/etc/hoopsnake/initramfs/hoopsnake.conf` to configure the hoopsnake runtime options.
+5. Rebuild initramfs by calling `update-initramfs -u -k all`
+
+## Remove from initrd
+1. Delete the files copied in install step 2.
+2. Rebuild initramfs by calling `update-initramfs -u -k all`

ubuntu/etc/hoopsnake/initramfs/hoopsnake.conf

@@ -0,0 +1,21 @@
+# The concrete commandline to run.
+HOOPSNAKE_CMD=""
+
+# Name of the tailscale service that the hoopsnake SSH server runs on."
+TAILSCALE_SERVICE_NAME=""
+
+# Whether to delete existing nodes with the configured hoopsnake SSH server's name
+TAILSCALE_DELETE_EXISTING="false"
+
+# List of tags to assign the hoopsnake SSH server. At least one is required. Separate with commas.
+TAILSCALE_TAGS=""
+
+# Any existing node with this server's name must be offline at least this long to be considered for deletion."
+TAILSCALE_MAX_NODE_AGE="30s"
+
+# Verbose logging from the tsnet package
+TSNET_VERBOSE="false"
+
+# Number of seconds to wait for hoopsnake to exit after boot continues. If set to null, do not wait.
+EXIT_TIMEOUT_SEC="5"
+

ubuntu/usr/share/initramfs-tools/conf-hooks.d/hoopsnake

@@ -0,0 +1,25 @@
+# Override variables from /etc/initramfs-tools/initramfs.conf, see
+# initramfs-tools(8)
+#
+
+# Set the umask value of the generated initramfs file to avoid
+# disclosing SSH host keys.
+UMASK=0077
+
+# Force use of busybox instead of klibc utilities
+BUSYBOX=y
+
+# The hoopsnake executable
+HOOPSNAKE_EXE=""
+
+# Include SSL bundle. Needed by Tailscale to connect to control plane.
+INCLUDE_SSL_BUNDLE="y"
+
+# Path to a PEM-encoded secret key that the hoopsnake SSH server will use to authenticate itself to clients.
+PRIVATE_HOST_KEY=""
+
+# Path to a file listing the authorized public keys that may authenticate to hoopsnake.
+AUTHORIZED_KEYS_FILE=""
+
+# Environment file setting TS_AUTHKEY, TS_API_KEY or TS_API_CLIENT_ID & TS_API_CLIENT_SECRET.
+TAILSCALE_ENV_FILE=""

ubuntu/usr/share/initramfs-tools/hooks/hoopsnake

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs() {
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hoopsnake_warn() {
+    echo "hoopsnake: WARNING:" "$@" >&2
+}
+
+copy_exec "$HOOPSNAKE_EXE" /sbin
+
+if [ "$INCLUDE_SSL_BUNDLE" = "y" ]; then
+    mkdir -p -- "$DESTDIR/etc/ssl/certs"
+    cp -R /etc/ssl/certs/. "$DESTDIR/etc/ssl/certs/"
+fi
+
+mkdir -p -- "$DESTDIR/etc/hoopsnake/ssh"
+
+if [ -e /etc/hoopsnake/initramfs/hoopsnake.conf ]; then
+    cp -pt "$DESTDIR/etc/hoopsnake/" "/etc/hoopsnake/initramfs/hoopsnake.conf"
+fi
+
+if [ -f "$PRIVATE_HOST_KEY" ]; then
+    cat "$PRIVATE_HOST_KEY" > "$DESTDIR/etc/hoopsnake/ssh/host_key"
+else
+    hoopsnake_warn "Missing host keys, SSH login to initramfs won't work!"
+fi
+
+if [ -e "$AUTHORIZED_KEYS_FILE" ]; then
+    cat "$AUTHORIZED_KEYS_FILE" > "$DESTDIR/etc/hoopsnake/ssh/authorized_keys"
+else
+    hoopsnake_warn "Missing authorized_keys file, SSH login to initramfs won't work!"
+fi
+
+if [ -e "$TAILSCALE_ENV_FILE" ]; then
+    cat "$TAILSCALE_ENV_FILE" > "$DESTDIR/etc/hoopsnake/tailscale_env"
+else
+    hoopsnake_warn "Missing Tailscale environment file, Tailscale will not be able to connect!"
+fi

ubuntu/usr/share/initramfs-tools/scripts/init-bottom/hoopsnake

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs() {
+	echo "$PREREQ"
+}
+
+case "$1" in
+	prereqs)
+		prereqs
+		exit 0
+	;;
+esac
+
+. /scripts/functions
+
+if [ -e /etc/hoopsnake/hoopsnake.conf ]; then
+    . /etc/hoopsnake/hoopsnake.conf
+fi
+
+PIDFILE="/run/hoopsnake.pid"
+hoopsnakePid="$(cat "$PIDFILE" 2>/dev/null)" || return 1
+
+if [ -n "$hoopsnakePid" ]; then
+    kill "$hoopsnakePid"
+    timeToWait=$EXIT_TIMEOUT_SEC
+    while [ $timeToWait -gt 0 ] && ! kill -0 "$hoopsnakePid" 2>/dev/null ; do
+        timeToWait=$((timeToWait-1))
+        sleep 1
+    done
+fi

ubuntu/usr/share/initramfs-tools/scripts/init-premount/hoopsnake

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+PREREQ="udev"
+
+prereqs() {
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+[ -x /sbin/hoopsnake ] || exit 0
+
+
+run_hoopsnake() {
+
+    # always run configure_networking() before hoopsnake; on NFS
+    # mounts this has been done already
+    [ "$BOOT" = nfs ] || configure_networking
+
+    log_begin_msg "Starting hoopsnake"
+
+    . /etc/hoopsnake/tailscale_env
+    export TS_AUTHKEY TS_API_KEY TS_API_CLIENT_ID TS_API_CLIENT_SECRET TS_BASE_URL
+
+    exec /sbin/hoopsnake -name "$TAILSCALE_SERVICE_NAME" \
+        -tsnetVerbose="$TSNET_VERBOSE" \
+        -tags="$TAILSCALE_TAGS" \
+        -deleteExisting="$TAILSCALE_DELETE_EXISTING"  \
+        -maxNodeAge="$TAILSCALE_MAX_NODE_AGE" \
+        -authorizedKeys=/etc/hoopsnake/ssh/authorized_keys \
+        -hostKey=/etc/hoopsnake/ssh/host_key \
+        "$HOOPSNAKE_CMD"
+}
+
+if [ -e /etc/hoopsnake/hoopsnake.conf ]; then
+    . /etc/hoopsnake/hoopsnake.conf
+fi
+. /scripts/functions
+
+[ "$BOOT" != nfs ] || configure_networking
+
+run_hoopsnake &
+echo $! >/run/hoopsnake.pid