Initial commit

.gitignore

@@ -0,0 +1,6 @@
+authorized_keys
+entries/
+entries.tar
+*.img
+*.raw
+*.raw.xz

README.md

@@ -0,0 +1,38 @@
+# Serial Pi
+
+Download and extract Fedora Minimal image:
+
+```sh
+curl -fLO 'https://dl.fedoraproject.org/pub/fedora-secondary/releases/39/Spins/aarch64/images/Fedora-Minimal-39-1.5.aarch64.raw.xz'
+unxz Fedora-Minimal-39-1.5.aarch64.raw.xz
+```
+
+Resize the disk to match the SD card:
+
+```sh
+truncate -s $((31291392 * 512)) serialpi.img
+virt-resize --expand /dev/sda3 --no-expand-content Fedora-Minimal-39-1.5.aarch64.raw serialpi.img
+```
+
+The `--no-expand-content` argument is necessary because otherwise,
+`virt-resize` fails with an error, as the ext4 filesystem in the image uses
+features it does not support.
+
+
+Populate `authorized_keys`:
+
+```sh
+cp ~/.ssh/id_ed25519_sk.pub authorized_keys
+```
+
+Customize with `guestfish`:
+
+```sh
+guestfish -a serialpi.img -f customize.guestfish
+```
+
+Write image to SD card:
+
+```sh
+pv serialpi.img | dd of=/dev/disk/by-id/usb-Generic_STORAGE_DEVICE_000000001206-0:0 bs=1M oflag=sync conv=sparse
+```

chrony-wait.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
+After=chrony.service chronyd.service
+After=network-online.target
+Before=time-sync.target
+Wants=time-sync.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+TimeoutStartSec=5m
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
+[Install]
+WantedBy=time-sync.target

customize.guestfish

@@ -0,0 +1,40 @@
+#/usr/bin/guestfish -f
+run
+mount /dev/sda3 /
+mount /dev/sda2 /boot
+mount /dev/sda1 /boot/efi
+
+!rm -rf entries
+!mkdir entries
+tar-out /boot/loader/entries - | tar -C entries -x
+!sed -i '/options/s/\bro\b/rw/' entries/*.conf
+!tar -cf entries.tar -C entries .
+tar-in entries.tar /boot/loader/entries
+!rm -rf entries.tar entries
+
+write-append /boot/efi/config.txt dtoverlay=disable-bt
+write-append /boot/efi/config.txt dtoverlay=disable-wifi
+
+write /etc/hostname serial1.pyrocufflink.blue
+write /etc/machine-id uninitialized
+
+write /etc/sysconfig/ssh-host-cert-sign SSHCA_SERVER=https://sshca.pyrocufflink.blue
+upload ssh-host-certificate.conf /etc/ssh/sshd_config.d/10-hostcertificate.conf
+
+upload authorized_keys /root/.ssh/authorized_keys
+
+rm-f /etc/systemd/system/multi-user.target.wants/initial-setup.service
+
+mkdir-p /etc/systemd/system-preset
+upload serialpi.preset /etc/systemd/system-preset/50-serialpi.preset
+
+upload chrony-wait.service /etc/systemd/system/chrony-wait.service
+mkdir-p /etc/systemd/system/time-sync.target.wants
+
+upload dch.repo /etc/yum.repos.d/dch.repo
+
+upload dch-firstboot.sh /usr/local/libexec/dch-firstboot.sh
+chmod 0755 /usr/local/libexec/dch-firstboot.sh
+upload dch-firstboot.service /etc/systemd/system/dch-firstboot.service
+
+selinux-relabel /etc/selinux/targeted/contexts/files/file_contexts /

dch-firstboot.service

@@ -0,0 +1,16 @@
+[Unit]
+After=network-online.target
+Wants=network-online.target
+Wants=time-sync.target
+After=time-sync.target
+Wants=systemd-growfs-root.service
+After=systemd-growfs-root.service
+
+[Service]
+Type=idle
+ExecStart=/usr/local/libexec/dch-firstboot.sh
+ExecStartPost=-/usr/bin/systemctl disable %n
+StandardOutput=journal+console
+
+[Install]
+WantedBy=multi-user.target

dch-firstboot.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+dnf install -y \
+	picocom \
+	sshca-cli-systemd \
+	tmux \
+	&& :
+
+systemctl enable --now ssh-host-certs-renew.timer
+
+systemctl start ssh-host-certs.target
+
+useradd -G dialout,wheel dustin
+install -o dustin -g dustin -m u=rwx,go= -d ~dustin/.ssh
+cp ~root/.ssh/authorized_keys ~dustin/.ssh/authorized_keys

dch.repo

@@ -0,0 +1,6 @@
+[dch]
+name=DCH - Fedora $releasever
+baseurl=https://files.pyrocufflink.blue/yum/dch/fedora/$releasever
+gpgkey=https://files.pyrocufflink.blue/yum/dch/gnupg.pub
+gpgcheck=1
+skip_if_unavailable=true

serialpi.preset

@@ -0,0 +1,11 @@
+enable dch-firstboot.service
+
+enable chrony-wait.service
+
+disable pcscd.socket
+disable sssd-kcm.socket
+disable systemd-homed.service
+disable systemd-userdbd.*
+disable udisks2.service
+
+disable dnf-makecache.timer

ssh-host-certificate.conf

@@ -0,0 +1,3 @@
+HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub