Add banner

sync dev

README.md

@@ -1,16 +1,16 @@
 # Deploy Alpine Linux on a headless system
 
-[Alpine Linux documentation](https://docs.alpinelinux.org/user-handbook/0.1a/Installing/setup_alpine.html) assumes one can interract with system directly with a keyboard & display.\
+[Alpine Linux documentation](https://docs.alpinelinux.org/user-handbook/0.1a/Installing/setup_alpine.html) assumes **initial setup** is carried-out on a system with a keyboard & display to interract with.\
 However, there are many cases where one might want to deploy a headless system, only available through a network connection (ethernet, wifi or as USB ethernet gadget).
 
-This repo provides an **overlay file** to initially boot the headless system (leveraging Alpine distro's `initramfs` feature): it enables a basic ssh server to log-into from another Computer, in order to finalize system set-up.
+This repo provides an **overlay file** to initially boot such headless system (leveraging Alpine distro's `initramfs` feature): it enables a basic ssh server to log-into from another Computer, in order to finalize system setup.
 
 
 ## Install procedure:
-Please follow [Alpine Linux Wiki](https://wiki.alpinelinux.org/wiki/Installation#Installation_Overview) to download & create installation media for the chosen platform.\
+Please follow [Alpine Linux Wiki](https://wiki.alpinelinux.org/wiki/Installation#Installation_Overview) to download & create installation media for the target platform.\
 Tools provided here can be used on any plaform for any install modes (diskless, data disk, system disk).
 
-Just add [**headless.apkovl.tar.gz**](https://github.com/macmpi/alpine-linux-headless-bootstrap/raw/main/headless.apkovl.tar.gz) overlay file at the root of Alpine Linux boot media (or onto any custom side-media) and boot the system.
+Just add [**headless.apkovl.tar.gz**](https://github.com/macmpi/alpine-linux-headless-bootstrap/raw/main/headless.apkovl.tar.gz)[^1] overlay file at the root of Alpine Linux boot media (or onto any custom side-media) and boot the system.
 
 With default network interface definitions (and SSID/pass file if using wifi), one may then access the system under `ssh` with: `ssh root@<IP>`\
 (system IP address may be determined with any IP scanning tools such as `nmap`).
@@ -22,6 +22,7 @@ From there, system install can be fine-tuned as usual with `setup-alpine` for in
 Add-on files may be added next to `headless.apkovl.tar.gz` to customise setup (sample files are provided):
 - `wpa_supplicant.conf` (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces` (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
+- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (can be stored), instead of bundled ones[^1] (not stored).
 - `unattended.sh` (*optional*): make custom automated deployment script to further tune & extend setup (backgrounded).
 
 *Note:* these files are linux text files: Windows/macOS users need to use text editors supporting linux text line-ending (such as [notepad++](https://notepad-plus-plus.org/), BBEdit or any other).
@@ -32,6 +33,8 @@ With Computer set-up to share networking with USB interface as 10.42.0.1 gateway
 
 Main execution steps are logged in `/var/log/messages`.
 
+[^1]: About bundled ssh keys: as this package is essentially intended to **quickly bootstrap** system in order to configure it, it purposely embeds [some ssh keys](https://github.com/macmpi/alpine-linux-headless-bootstrap/tree/main/overlay/etc/ssh) so that bootstrapping is as fast as possible. Those (temporary) keys are moved in RAM /tmp, so they will **not be saved/reused** once permanent configuration is set (with or without ssh server voluntarily installed in permanent setup).
+
 
 ## How to customize further ?
 This repository may be forked/cloned/downloaded.\
@@ -40,5 +43,5 @@ Execute `./make.sh` to rebuild `headless.apkovl.tar.gz` after changes.
 
 
 ## Credits
-Thanks for the original instructions & scripts from @sodface and @davidmytton.
+Thanks for the initial guides & scripts from @sodface and @davidmytton.
 

overlay/etc/local.d/headless.start

@@ -8,19 +8,19 @@ exec 1>/dev/console 2>&1
 logger -st ${0##*/} "Alpine Linux headless bootstrap v$VERSION by macmpi"
 
 mkdir /tmp/.trash
-ovlpath=$( find /media -type d -path '*/.*' -prune -o -type f -name *.apkovl.tar.gz -exec dirname {} \; | head -1 )
+ovlpath=$( find /media -maxdepth 2 -type d -path '*/.*' -prune -o -type f -name *.apkovl.tar.gz -exec dirname {} \; | head -1 )
 
 
 ## Setup Network interfaces
 if [ -f "${ovlpath}/wpa_supplicant.conf" ]; then
 	logger -st ${0##*/} "Wifi setup found !"
 	apk add wpa_supplicant
-	cp "${ovlpath}/wpa_supplicant.conf" /etc/wpa_supplicant/wpa_supplicant.conf
+	install -m600 "${ovlpath}/wpa_supplicant.conf" /etc/wpa_supplicant/wpa_supplicant.conf
 else
 	logger -st ${0##*/} "Wifi setup not found !"
 fi
 
-if ! cp "${ovlpath}/interfaces" /etc/network/interfaces; then
+if ! install -m644 "${ovlpath}/interfaces" /etc/network/interfaces; then
 	# set default interfaces if not specified by interface file on boot storage
 	logger -st ${0##*/} "No interfaces file supplied, building default interfaces..."
 	for dev in $(ls /sys/class/net)
@@ -77,22 +77,34 @@ rc-service networking start
 
 
 ## Setup temporary SSH server (root login, no password)
-## we use some bundled keys to avoid generation at boot and save time
+## we use some bundled or optionaly provided keys to avoid generation at boot and save time
-## bundled temporary keys are moved in /tmp so they won't be stored
-## within permanent config later (new ones will then be generated)
 apk add openssh
 
-mv /etc/ssh/ssh_host_* /tmp/.trash/.
+# banner file
+cat <<-EOF > /tmp/.trash/banner
+
+	Alpine Linux headless bootstrap v$VERSION by macmpi
+
+	EOF
+
+# bundled temporary keys are moved in RAM /tmp so they won't be stored
+# within permanent config later (new ones will then be generated)
+mv /etc/ssh/ssh_host_*_key* /tmp/.trash/.
 
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cat <<-EOF >> /etc/ssh/sshd_config
 	AuthenticationMethods none
 	PermitEmptyPasswords yes
 	PermitRootLogin yes
-	HostKey /tmp/.trash/ssh_host_ed25519_key
+	Banner /tmp/.trash/banner
-	HostKey /tmp/.trash/ssh_host_rsa_key
 	EOF
 
+# inject optional custom keys (those might be stored)
+if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
+	echo "HostKey /tmp/.trash/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
+	echo "HostKey /tmp/.trash/ssh_host_rsa_key" >> /etc/ssh/sshd_config
+fi
+
 cp /etc/conf.d/sshd /etc/conf.d/sshd.orig
 cat <<-EOF >> /etc/conf.d/sshd
 	sshd_disable_keygen=yes

sample_unattended.sh

@@ -1,6 +1,85 @@
 #/bin/sh
 
+## collection of few code snippets as sample unnatteded actions some may find usefull
+
+
+## Obvious one; reminder: is run in the background
 echo hello world !!
 sleep 60
+
+########################################################
+
+
+## This snippet removes apkovl file on volume after initial boot
+ovlpath=$( find /media -maxdepth 2 -type d -path '*/.*' -prune -o -type f -name *.apkovl.tar.gz -exec dirname {} \; | head -1 )
+
+# also works in case volume is mounted read-only
+grep -q "${ovlpath}.*[[:space:]]ro[[:space:],]" /proc/mounts; RO=$?
+[ "$RO" -eq "0" ] && mount -o remount,rw "${ovlpath}"
+rm "${ovlpath}"/*.apkovl.tar.gz
+[ "$RO" -eq "0" ] && mount -o remount,ro "${ovlpath}"
+
+########################################################
+
+
+## This snippet configures Minimal diskless environment
+# note: with INTERFACESOPTS=none, no networking will be setup so it won't work after reboot!
+# Change it or run setup-interfaces in interractive mode afterwards (and lbu commit -d thenafter)
+
+logger -st ${0##*/} "Setting-up minimal environment"
+
+cat <<-EOF > /tmp/ANSWERFILE
+	# base answer file for setup-alpine script
+
+	# Do not set keyboard layout
+	KEYMAPOPTS=none
+
+	# Keep hostname
+	HOSTNAMEOPTS="$(hostname)"
+
+	# Set device manager to mdev
+	DEVDOPTS=mdev
+
+	# Contents of /etc/network/interfaces
+	INTERFACESOPTS=none
+
+	# Set Public nameserver
+	DNSOPTS="-n 208.67.222.222"
+
+	# Set timezone to UTC
+	TIMEZONEOPTS="UTC"
+
+	# set http/ftp proxy
+	PROXYOPTS=none
+
+	# Add first mirror (CDN)
+	APKREPOSOPTS="-1"
+
+	# Do not create any user
+	USEROPTS=none
+
+	# No Openssh
+	SSHDOPTS=none
+
+	# Use openntpd
+	NTPOPTS="chrony"
+
+	# No disk install (diskless)
+	DISKOPTS=none
+
+	# Setup storage for diskless (find boot directory in /media/xxxx/apk/.boot_repository)
+	LBUOPTS="$( find /media -maxdepth 3 -type d -path '*/.*' -prune -o -type f -name '.boot_repository' -exec dirname {} \; | head -1 | xargs dirname )"
+	APKCACHEOPTS="\$LBUOPTS/cache"
+
+	EOF
+
+# trick setup-alpine to pretend existing SSH connection
+# and therefore keep (do not reset) network interfaces while running in background
+SSH_CONNECTION="FAKE" setup-alpine -ef /tmp/ANSWERFILE
+lbu commit -d
+
+########################################################
+
+
 logger -st ${0##*/} "Finished unattended script"