Introduce core-image-unit

- Add unitexe user
    - Configured for public key authentication SSH
    - Part of sudoers (via drop-in) so admin tasks can be performed
- No root login via SSH or TTY allowed
    - TTY is restricted via PAM
- Added misc. utilities

14 files changed, 164 insertions, 0 deletions

diff --git a/meta-unit-core/LICENSE b/meta-unit-core/LICENSE
new file mode 100644
index 0000000..c41c5ae
--- /dev/null
+++ b/meta-unit-core/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 unitexe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/meta-unit-core/conf/layer.conf b/meta-unit-core/conf/layer.conf
new file mode 100644
index 0000000..8de84e8
--- /dev/null
+++ b/meta-unit-core/conf/layer.conf
@@ -0,0 +1,16 @@
+BBPATH .= ":${LAYERDIR}"
+
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "unit-core"
+BBFILE_PATTERN_unit-core := "^${LAYERDIR}/"
+BBFILE_PRIORITY_unit-core = "10"
+
+LAYERSERIES_COMPAT_unit-core = "whinlatter"
+
+BBFILES_DYNAMIC += " \
+    virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes-*/*/*.bb \
+    virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes-*/*/*.bbappend \
+"
+
+UNIT_CORE_LAYERDIR = "${LAYERDIR}"
diff --git a/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..d520f4a
--- /dev/null
+++ b/meta-unit-core/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,23 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+do_install:append () {
+	# Disable root login completely
+	sed -i -e 's:#PermitRootLogin.*:PermitRootLogin no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Enable public key authentication
+	sed -i -e 's:#PubkeyAuthentication yes:PubkeyAuthentication yes:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Add global authorized_keys file to AuthorizedKeysFile
+	sed -i -e 's:^AuthorizedKeysFile.*:AuthorizedKeysFile\t.ssh/authorized_keys /etc/ssh/authorized_keys:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Disable password authentication
+	sed -i -e 's:#PasswordAuthentication yes:PasswordAuthentication no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Explicitly disable empty passwords
+	sed -i -e 's:#PermitEmptyPasswords no:PermitEmptyPasswords no:' ${D}${sysconfdir}/ssh/sshd_config
+	
+	# Restrict SSH access to unitexe user only
+	echo "" >> ${D}${sysconfdir}/ssh/sshd_config
+	echo "# Allow only the unitexe user" >> ${D}${sysconfdir}/ssh/sshd_config
+	echo "AllowUsers unitexe" >> ${D}${sysconfdir}/ssh/sshd_config
+}
diff --git a/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-networking.bb b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-networking.bb
new file mode 100644
index 0000000..e4353e1
--- /dev/null
+++ b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-networking.bb
@@ -0,0 +1,6 @@
+SUMMARY = "Unit networking packages"
+
+inherit packagegroup
+
+RDEPENDS:${PN}:append = " curl"
+RDEPENDS:${PN}:append = " openssh"
diff --git a/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-system.bb b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-system.bb
new file mode 100644
index 0000000..60bf072
--- /dev/null
+++ b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-system.bb
@@ -0,0 +1,10 @@
+SUMMARY = "Unit system packages"
+
+inherit packagegroup
+
+RDEPENDS:${PN}:append = " kernel-modules"
+
+# The preferred default for unit images (is also default for arch).
+# Provides high performance and reliability while being drop in 
+# compatible.
+RDEPENDS:${PN}:append = " dbus-broker"
diff --git a/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-users.bb b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-users.bb
new file mode 100644
index 0000000..8cc7faf
--- /dev/null
+++ b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-users.bb
@@ -0,0 +1,10 @@
+SUMMARY = "Unit users"
+
+inherit packagegroup
+
+# TTY root login restriction, among other things.
+# Is needed for rootless containers too.
+RDEPENDS:${PN}:append = " libpam"
+
+# Add admin user.
+RDEPENDS:${PN}:append = " add-user-unitexe"
diff --git a/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-utils.bb b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-utils.bb
new file mode 100644
index 0000000..1cbb0ff
--- /dev/null
+++ b/meta-unit-core/recipes-core/packagegroups/packagegroup-unit-utils.bb
@@ -0,0 +1,6 @@
+SUMMARY = "Unit utility packages"
+
+inherit packagegroup
+
+RDEPENDS:${PN}:append = " jq"
+RDEPENDS:${PN}:append = " tree"
diff --git a/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend
new file mode 100644
index 0000000..9d17d9b
--- /dev/null
+++ b/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend
@@ -0,0 +1,4 @@
+do_install:append() {
+    # Empty securetty to disallow root login on all TTYs.
+    echo -n > ${D}${sysconfdir}/securetty
+}
diff --git a/meta-unit-core/recipes-extended/sudo/files/50-unitexe b/meta-unit-core/recipes-extended/sudo/files/50-unitexe
new file mode 100644
index 0000000..744a8a4
--- /dev/null
+++ b/meta-unit-core/recipes-extended/sudo/files/50-unitexe
@@ -0,0 +1 @@
+unitexe ALL=(ALL:ALL) ALL
diff --git a/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend b/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..8fa5c5d
--- /dev/null
+++ b/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,9 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI:append = " file://50-unitexe"
+
+do_install:append() {
+    install -p -m0440 ${UNPACKDIR}/50-unitexe ${D}${sysconfdir}/sudoers.d/50-unitexe
+}
+
+FILES:${PN}-lib:append = " ${sysconfdir}/sudoers.d/50-unitexe"
diff --git a/meta-unit-core/recipes-unit/images/core-image-unit.bb b/meta-unit-core/recipes-unit/images/core-image-unit.bb
new file mode 100644
index 0000000..ea7a7c1
--- /dev/null
+++ b/meta-unit-core/recipes-unit/images/core-image-unit.bb
@@ -0,0 +1,5 @@
+SUMMARY = "Unit image"
+
+LICENSE = "MIT"
+
+require unit-image-base.inc
diff --git a/meta-unit-core/recipes-unit/images/unit-image-base.inc b/meta-unit-core/recipes-unit/images/unit-image-base.inc
new file mode 100644
index 0000000..c81d895
--- /dev/null
+++ b/meta-unit-core/recipes-unit/images/unit-image-base.inc
@@ -0,0 +1,7 @@
+inherit core-image
+inherit image-buildinfo
+
+IMAGE_INSTALL:append = " packagegroup-unit-networking"
+IMAGE_INSTALL:append = " packagegroup-unit-system"
+IMAGE_INSTALL:append = " packagegroup-unit-users"
+IMAGE_INSTALL:append = " packagegroup-unit-utils"
diff --git a/meta-unit-core/recipes-users/useradd/add-user-unitexe.bb b/meta-unit-core/recipes-users/useradd/add-user-unitexe.bb
new file mode 100644
index 0000000..4485d79
--- /dev/null
+++ b/meta-unit-core/recipes-users/useradd/add-user-unitexe.bb
@@ -0,0 +1,45 @@
+SUMMARY = "Add unitexe user"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${UNIT_CORE_LAYERDIR}/LICENSE;md5=38bf13be5d6979b28bd8adddb2f2f9b3"
+
+EXCLUDE_FROM_WORLD = "1"
+
+inherit useradd
+inherit extrausers
+
+SRC_URI = "file://authorized_keys"
+
+S = "${UNPACKDIR}"
+
+RDEPENDS:${PN}:append = " sudo"
+RDEPENDS:${PN}:append = " shadow"
+
+USERADD_PACKAGES = "${PN}"
+
+USER_TO_ADD_NAME ?= "unitexe"
+USER_TO_ADD_UID ?= "1000"
+USER_TO_ADD_PASSWORD_HASHED ?= "\$6\$esHchcEKubkj/1v7\$woeV0ChUqcC8J8lOEWB563mX4XRAvYJldGcU/I0Pzg1Nw9bBGOQoLmIsn0wU1gUzpysZr6R18xps5Cjn470Nv/"
+
+USERADD_PARAM:${PN} = "--uid ${USER_TO_ADD_UID} --home-dir /home/${USER_TO_ADD_NAME} --shell ${base_bindir}/sh --password '${USER_TO_ADD_PASSWORD_HASHED}' ${USER_TO_ADD_NAME}"
+
+do_install() {
+    # Give the user a home directory.
+    install -d -m 0755 ${D}/home/${USER_TO_ADD_NAME}
+
+    # Create .ssh directory.
+    install -d -m 0700 ${D}/home/${USER_TO_ADD_NAME}/.ssh
+
+    # Create authorized keys file.
+    install -m 0600 ${UNPACKDIR}/authorized_keys ${D}/home/${USER_TO_ADD_NAME}/.ssh/authorized_keys
+}
+
+pkg_postinst_ontarget:${PN}() {
+    chown -R ${USER_TO_ADD_NAME}:${USER_TO_ADD_NAME} /home/${USER_TO_ADD_NAME}
+}
+
+FILES:${PN} = "\
+    /home/${USER_TO_ADD_NAME} \
+    /home/${USER_TO_ADD_NAME}/.ssh/authorized_keys \
+"
+
+INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
diff --git a/meta-unit-core/recipes-users/useradd/add-user-unitexe/authorized_keys b/meta-unit-core/recipes-users/useradd/add-user-unitexe/authorized_keys
new file mode 100644
index 0000000..e567ca6
--- /dev/null
+++ b/meta-unit-core/recipes-users/useradd/add-user-unitexe/authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMovGBPRZAcuJiEO/3xfSqHki2b8/tZL+UfqoSoC8D27 unitexe70@gmail.com