Initial commit

rootfs/device_table.txt

@@ -0,0 +1 @@
+/boot d 755 0 0 - - - - -

rootfs/overlay/etc/chrony.conf

@@ -0,0 +1,2 @@
+sourcedir /run/chrony-dhcp
+makestep 0.1 10

rootfs/overlay/etc/default/dhcpcd

@@ -0,0 +1 @@
+DAEMON_ARGS=-w

rootfs/overlay/etc/dhcpcd.conf

@@ -0,0 +1,56 @@
+# A sample configuration for dhcpcd.
+# See dhcpcd.conf(5) for details.
+
+# Allow users of this group to interact with dhcpcd via the control socket.
+#controlgroup wheel
+
+# Inform the DHCP server of our hostname for DDNS.
+hostname
+hostname_short
+
+# Use the hardware address of the interface for the Client ID.
+clientid
+# or
+# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
+# Some non-RFC compliant DHCP servers do not reply with this set.
+# In this case, comment out duid and enable clientid above.
+#duid
+
+# Persist interface configuration when dhcpcd exits.
+persistent
+
+# vendorclassid is set to blank to avoid sending the default of
+# dhcpcd-<version>:<os>:<machine>:<platform>
+vendorclassid
+
+# A list of options to request from the DHCP server.
+option domain_name_servers, domain_name, domain_search
+option classless_static_routes
+# Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+# Request a hostname from the network
+option host_name
+
+# Most distributions have NTP support.
+option ntp_servers
+
+# Rapid commit support.
+# Safe to enable by default because it requires the equivalent option set
+# on the server to actually work.
+option rapid_commit
+
+option log_servers
+
+# A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+# Generate SLAAC address using the Hardware Address of the interface
+#slaac hwaddr
+# OR generate Stable Private IPv6 Addresses based from the DUID
+slaac private
+
+denyinterfaces dummy* veth* docker*
+
+env ntp_restart_cmd=chronyc reload sources
+env NTP_CONF=/run/chrony-dhcp/dhcpcd.conf

rootfs/overlay/etc/fstab

@@ -0,0 +1,3 @@
+tmpfs /root tmpfs size=1M,mode=550 0 0
+LABEL=RPIBOOT /boot/efi vfat defaults 0 0
+LABEL=metricspi /var btrfs subvol=var 0 0

rootfs/overlay/etc/ssh/sshd_config

@@ -0,0 +1,116 @@
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/bin:/sbin:/usr/bin:/usr/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+AuthorizedKeysCommand /usr/libexec/ssh-authorized-keys %u %t
+AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

rootfs/overlay/etc/sudoers.d/20_jenkins.conf

@@ -0,0 +1 @@
+jenkins ALL = (ALL) NOPASSWD: ALL

rootfs/overlay/usr/lib/systemd/system-preset/90-default.preset

@@ -0,0 +1,31 @@
+enable chrony-wait.service
+
+enable dhcpcd.service
+
+enable dbus.socket
+enable dbus-broker.service
+
+enable sshd.service
+
+enable chronyd.service
+enable chrony.service
+
+enable auditd.service
+
+enable restorecond.service
+
+enable rsyslog.*
+enable syslog-ng.*
+enable sysklogd.*
+
+enable firewalld.service
+
+enable lm_sensors.service
+enable mcelog.*
+enable smartd.service
+
+enable rngd.service
+
+enable fstrim.timer
+
+enable logrotate.timer

rootfs/overlay/usr/lib/systemd/system-preset/99-default-disable.preset

@@ -0,0 +1 @@
+disable *

rootfs/overlay/usr/lib/systemd/system/chrony-wait.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
+After=chrony.service chronyd.service
+After=network-online.target
+Before=time-sync.target
+Wants=time-sync.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+TimeoutStartSec=5m
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
+[Install]
+WantedBy=multi-user.target

rootfs/overlay/usr/lib/systemd/system/collectd.service.d/after-network-online.conf

@@ -0,0 +1,7 @@
+[Unit]
+# If collectd starts before eth0 is "UP," it will fail to bind to the TCP
+# socket for Prometheus:
+#
+#     write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
+After=network-online.target
+Wants=network-online.target

rootfs/overlay/usr/lib/systemd/system/copy-var.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Copy /var contents to writable storage
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+Before=systemd-update-done.service
+ConditionPathIsMountPoint=/var
+ConditionNeedsUpdate=/var
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/copy-var.sh

rootfs/overlay/usr/lib/systemd/system/dhcpcd.service.d/before-network-online.conf

@@ -0,0 +1,2 @@
+[Unit]
+Before=network-online.target

rootfs/overlay/usr/lib/systemd/system/dhcpcd.service.d/pidfile.conf

@@ -0,0 +1,2 @@
+[Service]
+PIDFile=/run/dhcpcd/pid

rootfs/overlay/usr/lib/systemd/system/sysinit.target.wants/copy-var.service

@@ -0,0 +1 @@
+../copy-var.service

rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf

@@ -0,0 +1 @@
+d /run/chrony-dhcp 0755 root root

rootfs/overlay/usr/libexec/copy-var.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+cleanup() {
+    if [ -n "${tmpdir}" ] && [ -d "${tmpdir}" ] && [ / != "${tmpdir}" ]; then
+        if mountpoint -q "${tmpdir}"; then
+            umount "${tmpdir}"
+        fi
+        rm -rf "${tmpdir}"
+    fi
+    unset tmpdir
+}
+
+if ! mountpoint -q /var; then
+    exit 0
+fi
+
+tmpdir=$(TMPDIR=/run mktemp -d)
+trap cleanup INT QUIT TERM EXIT
+
+mount -o bind / "${tmpdir}"
+cp -a "${tmpdir}"/var/. /var/
+
+if [ -x "$(command -v selinuxenabled)" ] && selinuxenabled; then
+    restorecon -RF /var
+fi

rootfs/overlay/usr/libexec/ssh-authorized-keys

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+USER="${1}"
+KEYTYPE="${2}"
+
+curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub

rootfs/post-fakeroot.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+systemd-hwdb --root="${TARGET_DIR}" --usr --strict update
+# Even with --usr, systemd-hwdb seems to always create hwdb.bin in
+# /etc/udev.  Perhaps this is a bug when specifying --root.
+if [ -f "${TARGET_DIR}"/etc/udev/hwdb.bin ]; then
+    mv "${TARGET_DIR}"/etc/udev/hwdb.bin "${TARGET_DIR}"/usr/lib/udev/
+fi

rootfs/post-image.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# shellcheck disable=SC2154
+cp -v "${BR2_EXTERNAL_metricspi_PATH}"/cmdline.txt \
+	"${BINARIES_DIR}"/rpi-firmware/cmdline.txt

rootfs/users

@@ -0,0 +1 @@
+    jenkins 3000018 jenkins 3000017 * /home/jenkins /bin/sh - Jenkins