Initial commit

overlay/etc/fstab

@@ -0,0 +1,4 @@
+PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2
+PARTLABEL=dch-data /run/etc btrfs subvol=etc,nosuid,noexec,nodev 0 0
+overlay /run/etc/rw overlay lowerdir=/etc,upperdir=/run/etc/rw,workdir=/run/etc/.work 0 0
+/run/etc/rw/ssh /etc/ssh none bind 0 0

overlay/etc/resolv.conf

@@ -0,0 +1 @@
+../run/systemd/resolve/resolv.conf

overlay/etc/ssh/sshd_config.d/authorized-keys-command.conf

@@ -0,0 +1,2 @@
+AuthorizedKeysCommand /usr/libexec/ssh-authorized-keys %u %t
+AuthorizedKeysCommandUser nobody

overlay/etc/systemd/network/90-default.network

@@ -0,0 +1,5 @@
+[Match]
+Type=ether
+
+[Network]
+DHCP=yes

overlay/usr/bin/system-update

@@ -0,0 +1,135 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+cleanup() {
+    cd /
+    if [ -n "${workdir}" ] && [ "${workdir}" != / ]; then
+        rm -rf "${workdir}"
+    fi
+    unset workdir
+}
+
+die() {
+    rc=$?
+    if [ $rc -eq 0 ]; then
+        rc=1
+    fi
+    error "$@"
+    exit $rc
+}
+
+error() {
+    if [ $# -eq 1 ]; then
+        echo "$1" >&2
+    elif [ $# -gt 1 ]; then
+        printf "$@" >&2
+    fi
+}
+
+extract_update() {
+    zstd -dc update.tar.zstd | tar -x \
+        || die 'Could not extract update source'
+    sha256sum -c digests \
+        || die 'Invalid update source: checksum mismatch'
+}
+
+fetch_update() {
+    wget -O update.tar.zstd "$1"
+}
+
+get_root() {
+    set -- $(cat /proc/cmdline)
+    while [ $# -gt 0 ]; do
+        case "$1" in
+            root=*)
+                _root=${1#root=}
+                ;;
+        esac
+        shift
+    done
+    echo $(findfs "${_root}")
+}
+
+get_partlabel() {
+    blkid -o value -s PARTLABEL "$1"
+}
+
+help() {
+    usage
+}
+
+info() {
+    if [ $# -eq 1 ]; then
+        echo "$1" >&2
+    elif [ $# -gt 1 ]; then
+        printf "$@" >&2
+    fi
+}
+
+usage() {
+    printf 'usage: %s source_url\n' "${0##*/}"
+}
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+    --help)
+        help
+        exit 0
+        ;;
+    *)
+        if [ -z "${source_url}" ]; then
+            source_url="$1"
+        else
+            usage >&2
+            exit 2
+        fi
+        ;;
+    esac
+    shift
+done
+
+if [ -z "${source_url}" ]; then
+    usage >&2
+    exit 2
+fi
+
+root=$(get_root)
+partlabel=$(get_partlabel "${root}")
+
+case "${partlabel}" in
+rootfs-a)
+    newpartlabel=rootfs-b
+    ;;
+rootfs-b)
+    newpartlabel=rootfs-a
+    ;;
+*)
+    die \
+        'Unsupported system configuration: invalid rootfs partition label: %s\n' \
+        "${partlabel}" >&2
+esac
+newroot=$(findfs PARTLABEL="${newpartlabel}")
+if [ -z "${newroot}" ]; then
+    die 'Could not find partition with label %s\n' "${partlabel}"
+fi
+info 'Current rootfs: %s (%s)\n' "${partlabel}" "${root}"
+info 'New rootfs: %s (%s)\n' "${newpartlabel}" "${newroot}"
+
+trap cleanup INT TERM QUIT EXIT
+workdir=$(mktemp -d)
+cd "${workdir}"
+
+fetch_update "${source_url}" || die 'Failed to fetch update source'
+extract_update || die 'Failed to extact update source'
+./install "${newroot}" || die 'Error installing system update'
+
+printf 'Do you want to reboot now? [y/N] '
+read confirm
+case "${confirm}" in
+[yY]|[yY][eE][sS])
+    systemctl reboot
+    ;;
+*)
+    info 'A reboot is required to complete the update'
+    ;;
+esac

overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.bin.xz

@@ -0,0 +1 @@
+../cypress/cyfmac43455-sdio.bin.xz

overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.txt

@@ -0,0 +1 @@
+brcmfmac43455-sdio.raspberrypi,4-model-b.txt.xz

overlay/usr/lib/systemd/system-preset/80-local-default.preset

@@ -0,0 +1,15 @@
+disable ldconfig.service
+
+disable systemd-userdbd.service
+disable systemd-userdbd.socket
+
+enable systemd-networkd-wait-online.service
+enable systemd-networkd.service
+enable systemd-networkd.socket
+
+#enable systemd-time-wait-sync.service
+
+disable getty@.service
+
+enable sshd.socket
+enable ssh-keygen.service

overlay/usr/lib/systemd/system/init-storage.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Initialize persistent data storage
+DefaultDependencies=no
+Before=local-fs-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/init-storage
+StandardInput=null
+StandardOutput=journal
+StandardError=journal

overlay/usr/lib/systemd/system/ssh-keygen.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Generate SSH host keys
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ssh-keygen -A
+
+[Install]
+WantedBy=sshd@.service

overlay/usr/lib/systemd/system/sshd@.service.d/after-keygen.conf

@@ -0,0 +1,2 @@
+[Unit]
+After=ssh-keygen.service

overlay/usr/lib/systemd/system/sysinit.target.wants/init-storage.service

@@ -0,0 +1 @@
+../init-storage.service

overlay/usr/libexec/init-storage

@@ -0,0 +1,57 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+cleanup() {
+    if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then
+        if mountpoint -q "${tmpdir}"; then
+            umount "${tmpdir}"
+        fi
+        rm -rf "${tmpdir}"
+        unset tmpdir
+    fi
+}
+
+copy_var() {
+    dev="$1"
+
+    echo 'Copying /var contents to data volume'
+    mount -o subvol=var "${dev}" "${tmpdir}"
+    cp -auv /var/. "${tmpdir}"
+    umount "${tmpdir}"
+}
+
+format_dev() {
+    dev="$1"
+    printf 'Creating BTRFS filesystem on %s\n' "${dev}"
+    mkfs.btrfs "${dev}" || exit
+
+    mount "${dev}" "${tmpdir}" || exit
+    btrfs subvolume create "${tmpdir}"/etc || exit
+    mkdir -p "${tmpdir}"/etc/.work "${tmpdir}"/etc/rw || exit
+    btrfs subvolume create "${tmpdir}"/var || exit
+    btrfs subvolume create "${tmpdir}"/var/log || exit
+    umount "${dev}" || exit
+}
+
+has_fs() {
+    dev="$1"
+    fstype=$(blkid -o value -s TYPE "${dev}")
+    [ -n "${fstype}" ]
+}
+
+datapart=$(findfs PARTLABEL=dch-data)
+if [ -b "${datapart}" ]; then
+    printf 'Found data partition: %s\n' "${datapart}"
+else
+    echo 'Could not identify data partition' >&2
+    exit 1
+fi
+
+trap cleanup INT TERM QUIT EXIT
+tmpdir=$(mktemp -d -p /run storinit.XXXXXX)
+
+if ! has_fs "${datapart}"; then
+    format_dev "${datapart}"
+fi
+
+copy_var "${datapart}"

overlay/usr/libexec/ssh-authorized-keys

@@ -0,0 +1,4 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+exec wget -q -O - https://sshkeys.pyrocufflink.blue/"$1"/"$2".pub