~tardypad/alpine-system

ref: 89af820ef18cbf36e893269d84dcb61cbed0c956 alpine-system/utilities/setup-container -rwxr-xr-x 2.1 KiB
89af820eDamien Tardy-Panis system-config: update nftables rules to allow forwarding WireGuard traffic 9 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/sh

CONTAINER_NAME='alpine-builds'
VERSION='3.15'
REPO_NAME='tardypad'

KEY_DIR="$1"

lxc launch "images:alpine/${VERSION}" "${CONTAINER_NAME}"

# wait for network
sleep 2

cat << EOF | lxc exec "${CONTAINER_NAME}" -- /bin/sh
  apk add alpine-sdk doas
  adduser -D damien
  adduser damien abuild
  echo 'permit nopass damien' > /etc/doas.d/doas.conf
  echo '/home/damien/packages/${REPO_NAME}' >> /etc/apk/repositories
EOF

if [ -n "${KEY_DIR}" ]; then
  # configure the signing key
  lxc file push -p "${KEY_DIR}"/damien-6220f8bc.rsa* "${CONTAINER_NAME}"/home/damien/.abuild/
  cat <<- EOF | lxc exec "${CONTAINER_NAME}" -- /bin/sh
    echo 'PACKAGER_PRIVKEY="/home/damien/.abuild/damien-6220f8bc.rsa"' > /home/damien/.abuild/abuild.conf
    cp /home/damien/.abuild/damien-6220f8bc.rsa.pub /etc/apk/keys/
	EOF
else
  # generate the signing key
  lxc exec "${CONTAINER_NAME}" --env SUDO=doas -- su -c 'abuild-keygen -ain' damien

  # save signing key on host for backup
  (
    cd "${XDG_DESKTOP_DIR:-$HOME/Desktop}" || exit 1
    lxc file pull -r "${CONTAINER_NAME}/home/damien/.abuild" .
    mv .abuild/damien* .
    rm -rf .abuild
  )
fi

# share builds folder with rw permissions
lxc config device add "${CONTAINER_NAME}" builds disk \
  source="$( project-path repo alpine-system )/builds" \
  path="/home/damien/${REPO_NAME}"
lxc config set "${CONTAINER_NAME}" raw.idmap='both 1000 1000'

# share SSH agent
lxc config device add "${CONTAINER_NAME}" ssh-agent proxy \
  "connect=unix:$( echo "${SSH_AUTH_SOCK}" | cut -f2 -d= )" \
  listen=unix:/home/damien/.ssh-agent.sock \
  bind=container \
  uid=1000 \
  gid=1000 \
  mode=0600 \
  security.uid=1000 \
  security.gid=1000

# rsync usage to chestnut
cat << EOF | lxc exec "${CONTAINER_NAME}" -- /bin/sh
  apk add openssh rsync
  echo 'export SSH_AUTH_SOCK=/home/damien/.ssh-agent.sock' > /home/damien/.profile
  chown damien:damien /home/damien/.profile
  mkdir /home/damien/.ssh
  cat <<- EOF2 > /home/damien/.ssh/config
		Host chestnut
		    Hostname tardypad.me
		    User damien
		    Port 11235
EOF2
  chown -R damien:damien /home/damien/.ssh
EOF

lxc restart "${CONTAINER_NAME}"