dangerzone/vm-builder/run-vm.sh

#!/bin/bash

ROOT=$(pwd)/vm
HYPERKIT=$(pwd)/../share/bin/hyperkit
VPNKIT=$(pwd)/../share/bin/vpnkit

SSHD_PORT=4445
SSHD_TUNNEL_PORT=4446

tmp="$(mktemp -d)"
trap rm -rf "$tmp" EXIT

# make ssh keys
/usr/bin/ssh-keygen \
    -t ed25519 \
    -C dangerzone-host \
    -N "" \
    -f "$tmp/host_ed25519"
/usr/bin/ssh-keygen \
    -t ed25519 \
    -C dangerzone-client \
    -N "" \
    -f "$tmp/client_ed25519"

# run sshd
SSHD_PIDFILE=$ROOT/sshd.pid
/usr/sbin/sshd \
    -4 \
    -E $ROOT/sshd.log \
    -o PidFile=$ROOT/sshd.pid \
    -o HostKey=$tmp/host_ed25519 \
    -o ListenAddress=127.0.0.1:$SSHD_PORT \
    -o AllowUsers=$(whoami) \
    -o PasswordAuthentication=no \
    -o PubkeyAuthentication=yes \
    -o Compression=yes \
    -o ForceCommand=/usr/bin/whoami \
    -o UseDNS=no \
    -o AuthorizedKeysFile=$tmp/client_ed25519.pub &
echo $! > $SSHD_PIDFILE
trap 'test -f $SSHD_PIDFILE && kill `cat $SSHD_PIDFILE` && rm $SSHD_PIDFILE' EXIT

# create disk image
cd $ROOT
cat > info.json << EOF
{
    "id_ed25519": "$(cat $tmp/client_ed25519 | awk '{printf "%s\\n", $0}')",
    "id_ed25519.pub": "$(cat $tmp/client_ed25519.pub)",
    "user": "$(whoami)",
    "ip": "192.168.65.2",
    "port": $SSHD_PORT,
    "tunnel_port": $SSHD_TUNNEL_PORT
}
EOF
python3 -c 's=open("info.json").read(); open("disk.img", "wb").write(s.encode()+b"\x00"*(512*1024-len(s)))'

# run vpnkit
VPNKIT_SOCK=$ROOT/vpnkit.eth.sock
VPNKIT_PIDFILE=$ROOT/vpnkit.pid
$VPNKIT \
    --ethernet=$VPNKIT_SOCK \
    --gateway-ip 192.168.65.1 \
    --host-ip 192.168.65.2 \
    --lowest-ip 192.168.65.3 \
    --highest-ip 192.168.65.254 &
echo $! > $VPNKIT_PIDFILE
trap 'test -f $VPNKIT_PIDFILE && kill `cat $VPNKIT_PIDFILE` && rm $VPNKIT_PIDFILE' EXIT

# run hyperkit
$HYPERKIT \
    -F $ROOT/hyperkit.pid \
    -A -u \
    -m 4G \
    -c 2 \
    -s 0:0,hostbridge -s 31,lpc \
    -l com1,stdio \
    -s 1:0,ahci-cd,$ROOT/dangerzone.iso \
    -s 2:0,virtio-vpnkit,path=$VPNKIT_SOCK \
    -s 3:0,virtio-blk,$ROOT/disk.img \
    -U 9efa82d7-ebd5-4287-b1cc-ac4160a39fa7 \
    -f kexec,$ROOT/kernel,$ROOT/initramfs.img,"earlyprintk=serial console=ttyS0 modules=loop,squashfs,sd-mod"