Enable local persistent storage

Machine-specific data, such as SSH keys, should not be included in the
immutable root filesystem image, as this would prevent multiple machines
running from the same image.  These few files can be stored locally, on
the SD card on eMMC flash.

The first time a machine boots up using this image, its local storage is
initialized.  This involves creating a new filesystem on the block
device and generating SSH host keys.  Once the storage is initialized,
it is remounted read-only.  All subsequent mounts are read-only as well.

mkrootfs.sh

@@ -45,10 +45,6 @@ cp -p \
     "${srcdir}"/config.txt \
     "${destdir}"/boot/efi
 
-for x in ed25519 rsa ecdsa; do
-    chroot "${destdir}" /usr/libexec/openssh/sshd-keygen $x
-done
-
 tar --owner root:0 -C "${srcdir}/overlay" -c . \
     | tar -C "${destdir}" -x
 chown -R 1000:1000 "${destdir}"/home/user

overlay/etc/fstab

@@ -2,4 +2,6 @@ tmpfs /var/lib/rsyslog tmpfs defaults 0 0
 tmpfs /var/log tmpfs defaults 0 0
 tmpfs /var/lib/systemd tmpfs defaults 0 0
 tmpfs /var/lib/NetworkManager tmpfs defaults 0 0
+/dev/mmcblk0 /run/storage ext4 ro,noexec,nosuid,nodev,x-systemd.makefs 0 2
+overlay /etc/ssh overlay ro,lowerdir=/etc/ssh:/run/storage/ssh,noexec,nodev,nosuid,x-systemd.requires-mounts-for=/run/storage 0 0
 /dev/nbd1 swap swap noauto,x-systemd.makefs 0 0

overlay/etc/systemd/system/init-localstorage.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Initialize Local Storage
+DefaultDependencies=no
+After=local-fs-pre.target
+After=run-storage.mount
+Before=etc-ssh.mount
+Before=local-fs.target
+Conflicts=shutdown.target
+ConditionPathExists=!/run/storage/ssh
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/libexec/init-localstorage.sh
+
+[Install]
+WantedBy=run-storage.mount

overlay/etc/systemd/system/run-storage.mount.wants/init-localstorage.service

@@ -0,0 +1 @@
+../init-localstorage.service

overlay/usr/local/libexec/init-localstorage.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+die() {
+    remount_ro
+    echo "ERROR: $1" >&2
+    exit 1
+}
+
+gen_ssh_keys() {
+    unset kf x
+    mkdir -p /run/storage/ssh || die 'Could not create /run/storage/ssh'
+    for x in rsa ecdsa ed25519; do
+        kf=/run/storage/ssh/ssh_host_${x}_key
+        if [ ! -f ${kf} ]; then
+            ssh-keygen -t ${x} -f ${kf} -N '' -C '' \
+                || die "Failed to generate ${x} SSH host key"
+        fi
+    done
+}
+
+remount_ro() {
+    if [ -w /run/storage ]; then
+        mount -oremount,ro /run/storage
+    fi
+}
+
+remount_rw() {
+    if [ ! -w /run/storage ]; then
+        mount -o remount,rw /run/storage \
+            || die 'Could not remount /run/storage read-write'
+    fi
+}
+
+mountpoint -q /run/storage || die '/run/storage is not mounted'
+
+if [ ! -d /run/storage/ssh ]; then
+    remount_rw
+    gen_ssh_keys
+fi
+
+remount_ro