Initial commit

2024-05-09 22:45:53 +02:00 · 2024-05-09 22:45:53 +02:00 · 968d09e362
commit 968d09e362
88 changed files with 2323 additions and 0 deletions
--- a/os/layers/contestant/includes.chroot/usr/local/bin/install-client-cert
+++ b/os/layers/contestant/includes.chroot/usr/local/bin/install-client-cert
@ -0,0 +1,49 @@
+#!/bin/bash
+
+# This tool installs the client certificate in Firefox and Chromium.
+
+username="$1"
+
+userhome="/home/$username"
+certificate="$userhome/.config/clientcert.p12"
+
+runuser -u "$username" -- mkdir -p "$userhome/.config"
+mv "$userhome/clientcert.p12" "$certificate"
+chown "$username:$username" "$certificate"
+
+# Delete all Firefox data
+rm -rf "$userhome/.mozilla/"
+
+# Create an empty profile
+runuser -u "$username" -- mkdir -p "$userhome/.mozilla/firefox/main"
+
+# Tell Firefox to use this profile
+cat > "$userhome/.mozilla/firefox/profiles.ini" <<EOF
+[Profile0]
+Name=main
+IsRelative=1
+Path=main
+
+[General]
+StartWithLastProfile=1
+Version=2
+
+[Install3B6073811A6ABF12]
+Default=main
+Locked=1
+
+EOF
+
+chown "$username:$username" "$userhome/.mozilla/firefox/profiles.ini"
+
+# Create a certificate database
+runuser -u "$username" -- certutil -d "sql:$userhome/.mozilla/firefox/main/" -N --empty-password
+
+# Import the client certificate
+runuser -u "$username" -- pk12util -d "sql:$userhome/.mozilla/firefox/main/" -i "$certificate" -K "" -W ""
+
+# Do the same for the NSS shared certificate database, used by Chromium
+rm -rf "$userhome/.pki/"
+runuser -u "$username" -- mkdir -p "$userhome/.pki/nssdb"
+runuser -u "$username" -- certutil -d "sql:$userhome/.pki/nssdb/" -N --empty-password
+runuser -u "$username" -- pk12util -d "sql:$userhome/.pki/nssdb/" -i "$certificate" -K "" -W ""
--- a/os/layers/contestant/includes.chroot/usr/local/bin/live-config
+++ b/os/layers/contestant/includes.chroot/usr/local/bin/live-config
@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eu
+
+LIVE_HOSTNAME=debian
+LIVE_USERNAME=contestant
+LIVE_USER_FULLNAME="Contestant"
+
+# Set hostname.
+echo "${LIVE_HOSTNAME}" > /etc/hostname
+hostname "${LIVE_HOSTNAME}"
+
+# Create hosts file.
+cat > /etc/hosts <<EOF
+127.0.0.1       localhost ${LIVE_HOSTNAME}
+::1             localhost ip6-localhost ip6-loopback
+fe00::0         ip6-localnet
+ff00::0         ip6-mcastprefix
+ff02::1         ip6-allnodes
+ff02::2         ip6-allrouters
+EOF
+
+# Create ssh host key.
+ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519
+
+# Create user.
+adduser --disabled-password --gecos "$LIVE_USER_FULLNAME" "$LIVE_USERNAME"
+
+# Enable auto login.
+sed -i \
+  -e "s/^[# ]*AutomaticLoginEnable *=.*/AutomaticLoginEnable = true/g" \
+  -e "s/^[# ]*AutomaticLogin *=.*/AutomaticLogin = $LIVE_USERNAME/g" \
+  -e "s/^[# ]*TimedLoginEnable *=.*/TimedLoginEnable = true/g" \
+  -e "s/^[# ]*TimedLogin *=.*/TimedLogin = $LIVE_USERNAME/g" \
+  -e "s/^[# ]*TimedLoginDelay *=.*/TimedLoginDelay = 5/g" \
+  /etc/gdm3/daemon.conf
--- a/os/layers/contestant/includes.chroot/usr/local/bin/reboot-interactive
+++ b/os/layers/contestant/includes.chroot/usr/local/bin/reboot-interactive
@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eu
+
+# Reboot with kexec.
+# This has the advantage that we don't need to go through the system boot menu,
+# which is especially useful when the boot menu is password protected.
+# However, we currently can't preserve the squashfs in RAM across kexec,
+# so the boot USB stick needs to be plugged in before rebooting.
+
+kexec --kexec-file-syscall --load /vmlinuz --initrd=/initrd.img --append="$(cat /proc/cmdline)"
+
+if XDG_RUNTIME_DIR="/run/user/$(id -u contestant)" runuser -u contestant -- zenity --question --title="Reboot?" --text="Press Enter after inserting the boot USB stick."
+then
+  reboot
+fi