Skip to content

Instantly share code, notes, and snippets.

@tavianator
Created May 27, 2022
Embed
What would you like to do?
Remote access mkinitcpio hook
#!/bin/bash
add_user() {
getent passwd "$1" >>"$BUILDROOT/etc/passwd"
getent shadow "$1" >>"$BUILDROOT/etc/shadow"
getent group "$(id -Gn "$1")" >>"$BUILDROOT/etc/group"
}
build() {
add_systemd_unit cryptsetup-pre.target
# Add systemd-networkd.service and enable it
add_systemd_unit systemd-networkd.service
add_symlink /etc/systemd/system/sysinit.target.wants/systemd-networkd.service \
/usr/lib/systemd/system/systemd-networkd.service
# Copy the host configuration
add_full_dir /etc/systemd/network
# Add the necessary modules
add_checked_modules /drivers/net
add_module bridge
# Add the networking user
add_user systemd-network
# Add tailscaled.service and enable it
add_systemd_unit tailscaled.service
add_systemd_unit tailscaled.socket
add_symlink /etc/systemd/system/sysinit.target.wants/tailscaled.service \
/usr/lib/systemd/system/tailscaled.service
# Force tailscale to start early
add_systemd_drop_in tailscaled.service order <<EOF
[Unit]
Wants=cryptsetup-pre.target
Before=cryptsetup-pre.target
DefaultDependencies=no
EOF
# Add tun
add_module tun
# Add iptables
map add_binary ip{,6}tables
add_full_dir /usr/lib/xtables
add_all_modules netfilter
# Add the tailscale CLI tool
add_binary tailscale
# Add tailscale configuration
add_file /var/lib/tailscale/tailscaled.state
add_file /etc/default/tailscaled
# Add sshd.service and enable it
add_systemd_unit sshd.service
add_symlink /etc/systemd/system/sysinit.target.wants/sshd.service \
/usr/lib/systemd/system/sshd.service
# Force sshd to start early
add_systemd_drop_in sshd.service order <<EOF
[Unit]
Wants=cryptsetup-pre.target
Before=cryptsetup-pre.target
DefaultDependencies=no
EOF
# Required for sshd isolation
add_user nobody
add_dir /var/empty
# Add ssh host keys and configuration
add_full_dir /etc/ssh
# Permit root logins in the initrd
sed -Ei 's/^#?AllowUsers.*/AllowUsers root/' "$BUILDROOT/etc/ssh/sshd_config"
sed -Ei 's/^#?PermitRootLogin.*/PermitRootLogin yes/' "$BUILDROOT/etc/ssh/sshd_config"
# No PAM in the initrd
sed -Ei 's/^#?UsePAM.*/UsePAM no/' "$BUILDROOT/etc/ssh/sshd_config"
# Share authorized_keys with my normal user
add_file /home/tavianator/.ssh/authorized_keys /root/.ssh/authorized_keys
systemd-analyze verify --root="$BUILDROOT" default.target
}
help() {
cat <<EOF
Enables remote access into the initrd to unlock encrypted disks.
EOF
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment