summaryrefslogtreecommitdiff
path: root/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta-unit-core/dynamic-layers/virtualization-layer/recipes-core')
-rw-r--r--meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path.bb30
-rw-r--r--meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path/distribution.path8
-rw-r--r--meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb27
-rw-r--r--meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service19
-rw-r--r--meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh51
5 files changed, 110 insertions, 25 deletions
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path.bb
new file mode 100644
index 0000000..ae47e27
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path.bb
@@ -0,0 +1,30 @@
+SUMMARY = "Systemd path unit to wait for TLS key and cert generation for distribution"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${UNIT_CORE_LAYERDIR}/LICENSE;md5=38bf13be5d6979b28bd8adddb2f2f9b3"
+
+inherit systemd
+
+SRC_URI = "\
+ file://distribution.path \
+"
+
+RDEPENDS:${PN}:append = " add-user-svc"
+RDEPENDS:${PN}:append = " systemd-regkeygen"
+
+S = "${UNPACKDIR}"
+
+SYSTEMD_USER = "svc"
+SYSTEMD_USER_UNITDIR = "/home/${SYSTEMD_USER}/.config/systemd/user"
+
+do_install() {
+ install -D -p -m0644 ${UNPACKDIR}/distribution.path ${D}${SYSTEMD_USER_UNITDIR}/distribution.path
+
+ # Auto-enable systemd unit by creating the appropriate symlink
+ install -d ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants
+ ln -sf ${SYSTEMD_USER_UNITDIR}/distribution.path ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants/distribution.path
+}
+
+FILES:${PN} = "\
+ ${SYSTEMD_USER_UNITDIR}/distribution.path \
+ ${SYSTEMD_USER_UNITDIR}/default.target.wants/distribution.path \
+"
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path/distribution.path b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path/distribution.path
new file mode 100644
index 0000000..d29fbd7
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-distribution-path/distribution.path
@@ -0,0 +1,8 @@
+[Unit]
+Description=Wait for TLS cert and key
+
+[Path]
+PathExists=%h/.local/share/distribution/certs-ready-signal
+
+[Install]
+WantedBy=default.target
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
index 7272206..dc925d7 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
@@ -2,7 +2,7 @@ SUMMARY = "Systemd service for generating TLS key and cert for distribution"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${UNIT_CORE_LAYERDIR}/LICENSE;md5=38bf13be5d6979b28bd8adddb2f2f9b3"
-inherit systemd
+SYSTEMD_SERVICE:${PN} = "regkeygen.service"
SRC_URI = "\
file://regkeygen.service \
@@ -10,25 +10,22 @@ SRC_URI = "\
"
RDEPENDS:${PN}:append = " add-user-svc"
-RDEPENDS:${PN}:append = " openssl"
S = "${UNPACKDIR}"
-SYSTEMD_USER = "svc"
-SYSTEMD_USER_UNITDIR = "/home/${SYSTEMD_USER}/.config/systemd/user"
-USER_BINDIR = "/home/${SYSTEMD_USER}/bin"
-
do_install() {
- install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/regkeygen.service
- install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${USER_BINDIR}/regkeygen.sh
-
- # Auto-enable systemd unit by creating the appropriate symlink
- install -d ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants
- ln -sf ${SYSTEMD_USER_UNITDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service
+ install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${systemd_system_unitdir}/regkeygen.service
+ install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${bindir}/regkeygen.sh
}
+inherit systemd
+
FILES:${PN} = "\
- ${SYSTEMD_USER_UNITDIR}/regkeygen.service \
- ${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service \
- ${USER_BINDIR}/regkeygen.sh \
+ ${systemd_system_unitdir} \
+ ${bindir} \
+"
+
+RDEPENDS:${PN} = "\
+ openssl \
+ ca-certificates \
"
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
index 6f1eca2..e5f2cab 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
@@ -1,12 +1,19 @@
[Unit]
-Description=Generate distribution TLS keys
-ConditionPathExists=!%h/.config/containers/distribution/certs/domain.crt
-ConditionPathExists=!%h/.config/containers/distribution/certs/domain.key
+Description=Generate registry TLS keys for device
+ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.crt
+ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.key
+ConditionPathExists=!/usr/local/share/ca-certificates/registry.crt
+ConditionPathExists=!/etc/containers/certs.d/localhost:5000/ca.crt
+ConditionPathExists=!/home/svc/.config/containers/certs.d/localhost:5000/ca.crt
+ConditionPathExists=!/home/svc/.local/share/distribution/certs-ready-signal
+After=time-sync.target
+Wants=time-sync.target systemd-time-wait-sync.service
[Service]
Type=oneshot
-Environment="XDG_CONFIG_HOME=%h/.config"
-ExecStart=%h/bin/regkeygen.sh
+ExecStart=/usr/bin/regkeygen.sh
+Environment="TARGET_USR=svc"
+Environment="DISTRIBUTION_REGISTRY_URL=localhost:5000"
[Install]
-WantedBy=default.target
+WantedBy=multi-user.target
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
index e929194..f1286dd 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
@@ -1,10 +1,32 @@
#!/bin/sh
+XDG_LOCAL_HOME="/home/$TARGET_USR/.local"
+XDG_CONFIG_HOME="/home/$TARGET_USR/.config"
+
set -e
-echo "Generating TLS certificate and key for distribution..."
+echo "Cleaning up any previous artifacts..."
+
+rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+rm -f /usr/local/share/ca-certificates/registry.crt
+rm -f "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+rm -f "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+rm -f "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
+
+echo "Creating necessary system directories..."
+
+mkdir -p "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/"
+mkdir -p /usr/local/share/ca-certificates
+
+echo "Creating necessary user directories..."
mkdir -p "$XDG_CONFIG_HOME/containers/distribution/certs"
+mkdir -p "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL"
+mkdir -p "$XDG_LOCAL_HOME/share/distribution"
+
+echo "Generating TLS certificate and key for local registry..."
+
openssl req -x509 -newkey ec \
-pkeyopt ec_paramgen_curve:P-256 \
-keyout "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" \
@@ -16,12 +38,33 @@ openssl req -x509 -newkey ec \
echo "Setting permissions on generated artifacts..."
-chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+chmod 640 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+echo "Adding CA to system trust store..."
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" /usr/local/share/ca-certificates/registry.crt
+update-ca-certificates
+
+echo "Adding CA to containers trust store..."
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+
echo "Adding CA to user containers trust store..."
-mkdir -p "$XDG_CONFIG_HOME/containers/localhost:5000/"
-cp "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/localhost:5000/ca.crt"
+chown -R $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d"
+chmod 755 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL"
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+chmod 644 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+
+echo "Creating signal file..."
+
+chown -R $TARGET_USR:$TARGET_USR "$XDG_LOCAL_HOME/share/distribution"
+touch "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
+chmod 644 "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
echo "Registry TLS configuration created and ready for use"
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-04 15:15:07 +0000