Skip to content

Instantly share code, notes, and snippets.

@matoken matoken/diff
Last active Apr 19, 2019

Embed
What would you like to do?
diff --git a/fstab b/fstab
index dc417c7..34ee4f9 100644
--- a/fstab
+++ b/fstab
@@ -1,5 +1,5 @@
# The root file system has fs_passno=1 as per fstab(5) for automatic fsck.
-LABEL=RASPIROOT / ext4 rw 0 1
+LABEL=RASPIROOT / ext3 rw,noatime 0 1
# All other file systems have fs_passno=2 as per fstab(5) for automatic fsck.
LABEL=RASPIFIRM /boot/firmware vfat rw 0 2
-proc /proc proc defaults 0 0
+proc /proc proc defaults,sync 0 0
diff --git a/raspi3.yaml b/raspi3.yaml
index c3e5b3b..0b6af68 100644
--- a/raspi3.yaml
+++ b/raspi3.yaml
@@ -2,7 +2,7 @@
steps:
- mkimg: "{{ output }}"
- size: 1500M
+ size: 1700M
- mklabel: msdos
device: "{{ output }}"
@@ -14,6 +14,10 @@ steps:
end: 20%
tag: /boot
+ #- cryptsetup: /
+ # tag: root_crypt
+ # key-file: disk.pass
+
- mkpart: primary
device: "{{ output }}"
start: 20%
@@ -26,7 +30,7 @@ steps:
partition: /boot
label: RASPIFIRM
- - mkfs: ext4
+ - mkfs: ext3
partition: /
label: RASPIROOT
@@ -80,6 +84,21 @@ steps:
- wpasupplicant
- raspi3-firmware
- linux-image-arm64
+ #- sysvinit-core
+ #- sysvinit-utils
+ #- ntpdate
+ - vim
+ - lv
+ - sudo
+ - fake-hwclock
+ - etckeeper
+ - locales
+ - msmtp
+ - apt-listchanges
+ - apticron
+ #- deborphan
+ - molly-guard
+ - screenfetch
tag: /
unless: rootfs_unpacked
@@ -88,11 +107,21 @@ steps:
- shell: |
echo "rpi3" > "${ROOT?}/etc/hostname"
+ sed -i 's,localhost$,localhost rpi3,' "${ROOT?}/etc/hosts"
# '..VyaTFxP8kT6' is crypt.crypt('raspberry', '..')
- sed -i 's,root:[^:]*,root:..VyaTFxP8kT6,' "${ROOT?}/etc/shadow"
+ #sed -i 's,root:[^:]*,root:..VyaTFxP8kT6,' "${ROOT?}/etc/shadow"
+
+ # OpenSSH
+ #sed -i 's,#PermitRootLogin prohibit-password,#PermitRootLogin prohibit-password\nPermitRootLogin yes,g' "${ROOT?}/etc/ssh/sshd_config"
+ sed -i 's,#PasswordAuthentication yes,PasswordAuthentication no,g' "${ROOT?}/etc/ssh/sshd_config"
+ echo 'AllowGroups sshusers' | tee -a "${ROOT?}/etc/ssh/sshd_config"
- sed -i 's,#PermitRootLogin prohibit-password,PermitRootLogin yes,g' "${ROOT?}/etc/ssh/sshd_config"
+ install -m 644 -o root -g root hosts.deny "${ROOT?}/etc/hosts.deny"
+ install -m 644 -o root -g root hosts.allow "${ROOT?}/etc/hosts.allow"
+
+ install -m 700 -o root -g root -d "${ROOT?}/root/.ssh"
+ install -m 600 -o root -g root rpi3-ssh-key.pub "${ROOT?}/root/.ssh/authorized_keys"
install -m 644 -o root -g root fstab "${ROOT?}/etc/fstab"
@@ -114,7 +143,7 @@ steps:
cat >> "${ROOT?}/etc/motd" <<'EOT'
- Please change the root password by running passwd
+ Please change the pi password by running passwd
EOT
root-fs: /
@@ -122,9 +151,54 @@ steps:
# reduce image size by several hundred megabytes.
- chroot: /
shell: |
+
+ etckeeper init -d /etc
+ #git remote add origin https://gitrep/user/repo.git
+ #sed -i 's,^PUSH_REMOTE=""$,PUSH_REMOTE="https://gitrep/user/repo.git",' /etc/etckeeper/etckeeper.conf
+
+ printf "\nAllowGroups sshusers\n" >> "/etc/ssh/sshd_config"
+ awk '$5>=3071' /etc/ssh/moduli | tee /etc/ssh/moduli.tmp
+ mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+ groupadd sshusers
+
+ rm /etc/localtime
+ ln -s /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
+
+ # apt 自動アップデートを有効に,アップグレードは無効に
+ printf 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "0";' > /etc/apt/apt.conf.d/20auto-upgrades
+
+ # adm group で dmesg
+ # https://matoken.org/blog/2019/03/03/enable-dmesg-command-only-for-certain-groups/
+ sed -i 's,^%sudo\tALL=(ALL:ALL) ALL$,%sudo\tALL=(ALL:ALL) ALL\n%adm\tALL=NOPASSWD: /usr/bin/dmesg,' /etc/sudoers
+ sed -i 's,^# some more ls aliases,# some more ls aliases\nalias dmesg="sudo dmesg",' /etc/skel/.bashrc
+
+ # en_US.UTF-8, ja_JP.UTF-8 を追加
+ sed -i 's,^# en_US.UTF-8,en_US.UTF-8,' /etc/locale.gen
+ sed -i 's,^# ja_JP.UTF-8,ja_JP.UTF-8,' /etc/locale.gen
+ locale-gen
+ localedef -f UTF-8 -i en_US en_US.UTF-8
+ #localedef -f UTF-8 -i ja_JP ja_JP.UTF-8
+ # ユーザは日本語で,でもメッセージや時間は英語で見たい
+ echo 'export LANG="ja_JP.UTF-8"' >> /etc/skel/.profile
+ echo 'export LC_MESSAGES="en_US.UTF-8"' >> /etc/skel/.profile
+ echo 'export LC_TIME="en_US.UTF-8"' >> /etc/skel/.profile
+
+ # 作業ユーザのpiアカウント(pi:raspberry)
+ useradd --shell /bin/bash -G sudo,sshusers,adm -m pi
+ # mkpasswd -m sha512crypt -S $(apg -a 0 -M NCL -n 1) raspberry
+ sed -i 's,^pi:[^:]*,pi:$6$AbDijVees3$IPxnMoRF99xswLgs6kjaqv7l6ef7XLI29asYvTu5QIc1YiiZwh7vJ1.ZjwMaxc3lTI1J8xf0Gp6islVDUC6EX/,' "/etc/shadow"
+
+ #sudo -u pi ssh-keygen -q -t ed25519 -N '' -f ~/.ssh/id_ed25519
+ install -m 700 -o pi -g pi -d ~pi/.ssh
+ install -m 600 -o pi -g pi /root/.ssh/authorized_keys ~pi/.ssh/authorized_keys
+ rm /root/.ssh/authorized_keys
+
+ apt-get purge nano -y
+
apt-get clean
rm -rf /var/lib/apt/lists
+
# Modify the kernel commandline we take from the firmware to boot from
# the partition labeled raspiroot instead of forcing it to mmcblk0p2
- chroot: /
@@ -137,3 +211,4 @@ steps:
- shell: |
rm "${ROOT?}/etc/resolv.conf"
root-fs: /
+
# The root file system has fs_passno=1 as per fstab(5) for automatic fsck.
LABEL=RASPIROOT / ext3 rw,noatime 0 1
# All other file systems have fs_passno=2 as per fstab(5) for automatic fsck.
LABEL=RASPIFIRM /boot/firmware vfat rw 0 2
proc /proc proc defaults,sync 0 0
# See https://wiki.debian.org/RaspberryPi3 for known issues and more details.
steps:
- mkimg: "{{ output }}"
size: 1700M
- mklabel: msdos
device: "{{ output }}"
- mkpart: primary
fs-type: 'fat32'
device: "{{ output }}"
start: 0%
end: 20%
tag: /boot
#- cryptsetup: /
# tag: root_crypt
# key-file: disk.pass
- mkpart: primary
device: "{{ output }}"
start: 20%
end: 100%
tag: /
- kpartx: "{{ output }}"
- mkfs: vfat
partition: /boot
label: RASPIFIRM
- mkfs: ext3
partition: /
label: RASPIROOT
- mount: /
- mount: /boot
mount-on: /
dirname: '/boot/firmware'
- unpack-rootfs: /
# We need to use Debian buster (currently testing) instead of Debian stretch
# (currently stable) for:
#
# linux ≥ 4.14
# Which includes the sdhost driver for faster SD card access and making the
# WiFi chip available, and has the WiFi driver enabled.
#
# raspi3-firmware ≥ 1.20171201-1
# Which includes a recent enough firmware version to correctly pass the MAC
# address to the kernel. This is a regression with Linux ≥ 4.12, see
# https://github.com/raspberrypi/firmware/issues/846
# Also, this package contains a Raspberry Pi 3-specific firmware file
# required by the WiFi driver.
- qemu-debootstrap: buster
mirror: http://deb.debian.org/debian
target: /
arch: arm64
components:
- main
- contrib
- non-free
unless: rootfs_unpacked
# TODO(https://bugs.debian.org/877855): remove this workaround once
# debootstrap is fixed
- chroot: /
shell: |
echo 'deb http://deb.debian.org/debian buster main contrib non-free' > /etc/apt/sources.list
apt-get update
unless: rootfs_unpacked
- apt: install
packages:
- ssh
- parted
- dosfstools
# Contains /lib/firmware/brcm/brcmfmac43430-sdio.bin (required for WiFi).
- firmware-brcm80211
- wireless-tools
- wpasupplicant
- raspi3-firmware
- linux-image-arm64
#- sysvinit-core
#- sysvinit-utils
#- ntpdate
- vim
- lv
- sudo
- fake-hwclock
- etckeeper
- locales
- msmtp
- apt-listchanges
- apticron
#- deborphan
- molly-guard
- screenfetch
tag: /
unless: rootfs_unpacked
- cache-rootfs: /
unless: rootfs_unpacked
- shell: |
echo "rpi3" > "${ROOT?}/etc/hostname"
sed -i 's,localhost$,localhost rpi3,' "${ROOT?}/etc/hosts"
# '..VyaTFxP8kT6' is crypt.crypt('raspberry', '..')
#sed -i 's,root:[^:]*,root:..VyaTFxP8kT6,' "${ROOT?}/etc/shadow"
# OpenSSH
#sed -i 's,#PermitRootLogin prohibit-password,#PermitRootLogin prohibit-password\nPermitRootLogin yes,g' "${ROOT?}/etc/ssh/sshd_config"
sed -i 's,#PasswordAuthentication yes,PasswordAuthentication no,g' "${ROOT?}/etc/ssh/sshd_config"
echo 'AllowGroups sshusers' | tee -a "${ROOT?}/etc/ssh/sshd_config"
install -m 644 -o root -g root hosts.deny "${ROOT?}/etc/hosts.deny"
install -m 644 -o root -g root hosts.allow "${ROOT?}/etc/hosts.allow"
install -m 700 -o root -g root -d "${ROOT?}/root/.ssh"
install -m 600 -o root -g root rpi3-ssh-key.pub "${ROOT?}/root/.ssh/authorized_keys"
install -m 644 -o root -g root fstab "${ROOT?}/etc/fstab"
install -m 644 -o root -g root eth0 "${ROOT?}/etc/network/interfaces.d/eth0"
mkdir -p "${ROOT?}/etc/iptables"
install -m 644 -o root -g root rules.v4 "${ROOT?}/etc/iptables/rules.v4"
install -m 644 -o root -g root rules.v6 "${ROOT?}/etc/iptables/rules.v6"
install -m 755 -o root -g root rpi3-resizerootfs "${ROOT?}/usr/sbin/rpi3-resizerootfs"
install -m 644 -o root -g root rpi3-resizerootfs.service "${ROOT?}/etc/systemd/system"
mkdir -p "${ROOT?}/etc/systemd/system/systemd-remount-fs.service.requires/"
ln -s /etc/systemd/system/rpi3-resizerootfs.service "${ROOT?}/etc/systemd/system/systemd-remount-fs.service.requires/rpi3-resizerootfs.service"
install -m 644 -o root -g root rpi3-generate-ssh-host-keys.service "${ROOT?}/etc/systemd/system"
mkdir -p "${ROOT?}/etc/systemd/system/multi-user.target.requires/"
ln -s /etc/systemd/system/rpi3-generate-ssh-host-keys.service "${ROOT?}/etc/systemd/system/multi-user.target.requires/rpi3-generate-ssh-host-keys.service"
rm -f ${ROOT?}/etc/ssh/ssh_host_*_key*
cat >> "${ROOT?}/etc/motd" <<'EOT'
Please change the pi password by running passwd
EOT
root-fs: /
# Clean up archive cache (likely not useful) and lists (likely outdated) to
# reduce image size by several hundred megabytes.
- chroot: /
shell: |
etckeeper init -d /etc
#git remote add origin https://gitrep/user/repo.git
#sed -i 's,^PUSH_REMOTE=""$,PUSH_REMOTE="https://gitrep/user/repo.git",' /etc/etckeeper/etckeeper.conf
printf "\nAllowGroups sshusers\n" >> "/etc/ssh/sshd_config"
awk '$5>=3071' /etc/ssh/moduli | tee /etc/ssh/moduli.tmp
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
groupadd sshusers
rm /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
# apt 自動アップデートを有効に,アップグレードは無効に
printf 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "0";' > /etc/apt/apt.conf.d/20auto-upgrades
# adm group で dmesg
# https://matoken.org/blog/2019/03/03/enable-dmesg-command-only-for-certain-groups/
sed -i 's,^%sudo\tALL=(ALL:ALL) ALL$,%sudo\tALL=(ALL:ALL) ALL\n%adm\tALL=NOPASSWD: /usr/bin/dmesg,' /etc/sudoers
sed -i 's,^# some more ls aliases,# some more ls aliases\nalias dmesg="sudo dmesg",' /etc/skel/.bashrc
# en_US.UTF-8, ja_JP.UTF-8 を追加
sed -i 's,^# en_US.UTF-8,en_US.UTF-8,' /etc/locale.gen
sed -i 's,^# ja_JP.UTF-8,ja_JP.UTF-8,' /etc/locale.gen
locale-gen
localedef -f UTF-8 -i en_US en_US.UTF-8
#localedef -f UTF-8 -i ja_JP ja_JP.UTF-8
# ユーザは日本語で,でもメッセージや時間は英語で見たい
echo 'export LANG="ja_JP.UTF-8"' >> /etc/skel/.profile
echo 'export LC_MESSAGES="en_US.UTF-8"' >> /etc/skel/.profile
echo 'export LC_TIME="en_US.UTF-8"' >> /etc/skel/.profile
# 作業ユーザのpiアカウント(pi:raspberry)
useradd --shell /bin/bash -G sudo,sshusers,adm -m pi
# mkpasswd -m sha512crypt -S $(apg -a 0 -M NCL -n 1) raspberry
sed -i 's,^pi:[^:]*,pi:$6$AbDijVees3$IPxnMoRF99xswLgs6kjaqv7l6ef7XLI29asYvTu5QIc1YiiZwh7vJ1.ZjwMaxc3lTI1J8xf0Gp6islVDUC6EX/,' "/etc/shadow"
#sudo -u pi ssh-keygen -q -t ed25519 -N '' -f ~/.ssh/id_ed25519
install -m 700 -o pi -g pi -d ~pi/.ssh
install -m 600 -o pi -g pi /root/.ssh/authorized_keys ~pi/.ssh/authorized_keys
rm /root/.ssh/authorized_keys
apt-get purge nano -y
apt-get clean
rm -rf /var/lib/apt/lists
# Modify the kernel commandline we take from the firmware to boot from
# the partition labeled raspiroot instead of forcing it to mmcblk0p2
- chroot: /
shell: |
ls -aR /boot
sed -i 's/.dev.mmcblk0p2/LABEL=RASPIROOT/' /boot/firmware/cmdline.txt
# TODO(https://github.com/larswirzenius/vmdb2/issues/24): remove once vmdb
# clears /etc/resolv.conf on its own.
- shell: |
rm "${ROOT?}/etc/resolv.conf"
root-fs: /
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.