summaryrefslogtreecommitdiff
path: root/meta-unit-virtualization/recipes-core/systemd
diff options
context:
space:
mode:
Diffstat (limited to 'meta-unit-virtualization/recipes-core/systemd')
-rw-r--r--meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path.bb30
-rw-r--r--meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path/distribution.path8
-rw-r--r--meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen.bb31
-rw-r--r--meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service19
-rw-r--r--meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh70
5 files changed, 158 insertions, 0 deletions
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path.bb b/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path.bb
new file mode 100644
index 0000000..d9bd67b
--- /dev/null
+++ b/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path.bb
@@ -0,0 +1,30 @@
+SUMMARY = "Systemd path unit to wait for TLS key and cert generation for distribution"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${UNIT_VIRTUALIZATION_LAYERDIR}/LICENSE;md5=a77c12e0c0e8a14cebb1494195720ccc"
+
+inherit systemd
+
+SRC_URI = "\
+ file://distribution.path \
+"
+
+RDEPENDS:${PN}:append = " add-user-svc"
+RDEPENDS:${PN}:append = " systemd-regkeygen"
+
+S = "${UNPACKDIR}"
+
+SYSTEMD_USER = "svc"
+SYSTEMD_USER_UNITDIR = "/home/${SYSTEMD_USER}/.config/systemd/user"
+
+do_install() {
+ install -D -p -m0644 ${UNPACKDIR}/distribution.path ${D}${SYSTEMD_USER_UNITDIR}/distribution.path
+
+ # Auto-enable systemd unit by creating the appropriate symlink
+ install -d ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants
+ ln -sf ${SYSTEMD_USER_UNITDIR}/distribution.path ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants/distribution.path
+}
+
+FILES:${PN} = "\
+ ${SYSTEMD_USER_UNITDIR}/distribution.path \
+ ${SYSTEMD_USER_UNITDIR}/default.target.wants/distribution.path \
+"
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path/distribution.path b/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path/distribution.path
new file mode 100644
index 0000000..d29fbd7
--- /dev/null
+++ b/meta-unit-virtualization/recipes-core/systemd/systemd-distribution-path/distribution.path
@@ -0,0 +1,8 @@
+[Unit]
+Description=Wait for TLS cert and key
+
+[Path]
+PathExists=%h/.local/share/distribution/certs-ready-signal
+
+[Install]
+WantedBy=default.target
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen.bb b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen.bb
new file mode 100644
index 0000000..ee53401
--- /dev/null
+++ b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Systemd service for generating TLS key and cert for distribution"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${UNIT_VIRTUALIZATION_LAYERDIR}/LICENSE;md5=a77c12e0c0e8a14cebb1494195720ccc"
+
+SYSTEMD_SERVICE:${PN} = "regkeygen.service"
+
+SRC_URI = "\
+ file://regkeygen.service \
+ file://regkeygen.sh \
+"
+
+RDEPENDS:${PN}:append = " add-user-svc"
+
+S = "${UNPACKDIR}"
+
+do_install() {
+ install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${systemd_system_unitdir}/regkeygen.service
+ install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${bindir}/regkeygen.sh
+}
+
+inherit systemd
+
+FILES:${PN} = "\
+ ${systemd_system_unitdir} \
+ ${bindir} \
+"
+
+RDEPENDS:${PN} = "\
+ openssl \
+ ca-certificates \
+"
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service
new file mode 100644
index 0000000..e5f2cab
--- /dev/null
+++ b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Generate registry TLS keys for device
+ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.crt
+ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.key
+ConditionPathExists=!/usr/local/share/ca-certificates/registry.crt
+ConditionPathExists=!/etc/containers/certs.d/localhost:5000/ca.crt
+ConditionPathExists=!/home/svc/.config/containers/certs.d/localhost:5000/ca.crt
+ConditionPathExists=!/home/svc/.local/share/distribution/certs-ready-signal
+After=time-sync.target
+Wants=time-sync.target systemd-time-wait-sync.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/regkeygen.sh
+Environment="TARGET_USR=svc"
+Environment="DISTRIBUTION_REGISTRY_URL=localhost:5000"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
new file mode 100644
index 0000000..f1286dd
--- /dev/null
+++ b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+XDG_LOCAL_HOME="/home/$TARGET_USR/.local"
+XDG_CONFIG_HOME="/home/$TARGET_USR/.config"
+
+set -e
+
+echo "Cleaning up any previous artifacts..."
+
+rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+rm -f /usr/local/share/ca-certificates/registry.crt
+rm -f "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+rm -f "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+rm -f "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
+
+echo "Creating necessary system directories..."
+
+mkdir -p "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/"
+mkdir -p /usr/local/share/ca-certificates
+
+echo "Creating necessary user directories..."
+
+mkdir -p "$XDG_CONFIG_HOME/containers/distribution/certs"
+mkdir -p "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL"
+mkdir -p "$XDG_LOCAL_HOME/share/distribution"
+
+echo "Generating TLS certificate and key for local registry..."
+
+openssl req -x509 -newkey ec \
+ -pkeyopt ec_paramgen_curve:P-256 \
+ -keyout "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" \
+ -out "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" \
+ -days 365 \
+ -nodes \
+ -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=R&D/CN=localhost/emailAddress=unitexe70@gmail.com' \
+ -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1'
+
+echo "Setting permissions on generated artifacts..."
+
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+chmod 640 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
+
+echo "Adding CA to system trust store..."
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" /usr/local/share/ca-certificates/registry.crt
+update-ca-certificates
+
+echo "Adding CA to containers trust store..."
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+
+echo "Adding CA to user containers trust store..."
+
+chown -R $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d"
+chmod 755 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL"
+
+cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+chmod 644 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt"
+
+echo "Creating signal file..."
+
+chown -R $TARGET_USR:$TARGET_USR "$XDG_LOCAL_HOME/share/distribution"
+touch "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
+chmod 644 "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal"
+
+echo "Registry TLS configuration created and ready for use"
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-04 15:15:15 +0000