almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-30 18:52:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
dangerzone/install/vm-builder/genapkovl-dangerzone.sh
Micah Lee da75559e3a
Start working on ssh reverse tunnel stuff
2021-06-30 16:21:40 -07:00

164 lines
3.6 KiB
Bash
Raw Blame History

#!/bin/sh -e
HOSTNAME="$1"
if [ -z "$HOSTNAME" ]; then
echo "usage: $0 hostname"
exit 1
fi
cleanup() {
rm -rf "$tmp"
}
makefile() {
OWNER="$1"
PERMS="$2"
FILENAME="$3"
cat > "$FILENAME"
chown "$OWNER" "$FILENAME"
chmod "$PERMS" "$FILENAME"
}
rc_add() {
mkdir -p "$tmp"/etc/runlevels/"$2"
ln -sf /etc/init.d/"$1" "$tmp"/etc/runlevels/"$2"/"$1"
}
tmp="$(mktemp -d)"
trap cleanup EXIT
mkdir -p "$tmp"/etc/apk
makefile root:root 0644 "$tmp"/etc/apk/world <<EOF
alpine-base
openssh
podman
EOF
# Custom sshd config
mkdir -p "$tmp"/etc/ssh
makefile root:root 0644 "$tmp"/etc/ssh/sshd_config <<EOF
AuthorizedKeysFile .ssh/authorized_keys
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
Subsystem sftp /usr/lib/ssh/sftp-server
UseDNS no
PasswordAuthentication no
EOF
# Script to read info from host
makefile root:root 0755 "$tmp"/etc/read-info-from-host <<EOF
#!/usr/bin/env python3
import json
# Read data
with open("/dev/vda", "rb") as f:
s = f.read()
info = json.loads(s[0:s.find(b"\0")])
# Create SSH files
os.makedirs("/home/user/.ssh", exist_ok=True)
with open("/home/user/.ssh/id_ed25519") as f:
f.write(info["id_ed25519"])
with open("/home/user/.ssh/id_ed25519.pub") as f:
f.write(info["id_ed25519.pub"])
with open("/home/user/.ssh/authorized_keys") as f:
f.write(info["id_ed25519.pub"])
with open("/home/user/.ssh/env_ssh_target") as f:
f.write(info['ssh_target'])
with open("/home/user/.ssh/env_sshd_port") as f:
f.write(info['sshd_port'])
with open("/home/user/.ssh/env_sshd_tunnel_port") as f:
f.write(info['sshd_tunnel_port'])
EOF
# Dangerzone alpine setup
makefile root:root 0644 "$tmp"/etc/answers.txt <<EOF
KEYMAPOPTS="us us"
HOSTNAMEOPTS="-n dangerzone"
INTERFACESOPTS="auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
hostname dangerzone
"
DNSOPTS="-d example.com 4.4.4.4"
TIMEZONEOPTS="-z UTC"
SSHDOPTS="-c openssh"
EOF
mkdir -p "$tmp"/etc/init.d
makefile root:root 0755 "$tmp"/etc/init.d/dangerzone <<EOF
#!/sbin/openrc-run
name="Dangerzone init script"
start_pre() {
# Setup Alpine
/sbin/setup-alpine -f /etc/answers.txt -e -q
rm /etc/answers.txt
# Create user
/usr/sbin/adduser -D -u 1001 user
# Move containers into home dir
mkdir -p /home/user/.local/share
mv /etc/container-data /home/user/.local/share/containers
chown -R user:user /home/user/.local
# Allow podman containers to run
echo "user:100000:65536" >> /etc/subuid
echo "user:100000:65536" >> /etc/subgid
# Get info from the host
/etc/read-info-from-host
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/*
# Start the ssh reverse tunnel
SSH_TARGET=$(cat /home/user/.ssh/env_ssh_target)
SSHD_PORT=$(cat /home/user/.ssh/env_sshd_port)
SSHD_TUNNEL_PORT=$(cat /home/user/.ssh/sshd_tunnel_port)
/usr/bin/ssh -o StrictHostKeyChecking=no -N -R $SSHD_TUNNEL_PORT:127.0.0.1:22 -p $SSHD_PORT $SSH_TARGET &
}
EOF
# Fix permissions and add containers to /etc/container-data, temporarily
for WEIRD_FILE in $(find /home/user/.local/share/containers -perm 000); do
chmod 600 $WEIRD_FILE
done
cp -r /home/user/.local/share/containers "$tmp"/etc/container-data
# Start cgroups, required by podman
rc_add cgroups boot
# Start sshd
rc_add sshd boot
# Run setup-alpine
rc_add dangerzone boot
rc_add devfs sysinit
rc_add dmesg sysinit
rc_add mdev sysinit
rc_add hwdrivers sysinit
rc_add modloop sysinit
rc_add hwclock boot
rc_add modules boot
rc_add sysctl boot
rc_add hostname boot
rc_add bootmisc boot
rc_add syslog boot
rc_add mount-ro shutdown
rc_add killprocs shutdown
rc_add savecache shutdown
tar -c -C "$tmp" etc | gzip -9n > $HOSTNAME.apkovl.tar.gz
Reference in a new issue View git blame Copy permalink