build: create userpass service to change the first password

utilities/build/config.template

@@ -10,7 +10,6 @@ FIRST_USER_PASS="$FIRST_USER_PASS"
 WPA_COUNTRY="US"
 ENABLE_SSH="1"
 DEPLOY_COMPRESSION="xz"
-PUBKEY_ONLY_SSH="1"
 PUBKEY_SSH_FIRST_USER="$PUBKEY_SSH_FIRST_USER"
 STAGE_LIST="stage0 stage1 stage2 stage-solar"
 IMG_NAME="solar-protocol"

utilities/build/installation.md

@@ -2,57 +2,57 @@
 
 Here are some manual steps after booting the raspberry pi to finnish installaion
 
-Update the password for the `pi` user
+## Create ssh key and connect to the pi
 
-    passwd
+On your computer, generate a new key, with a new password
 
-## Enable firewal
+    ssh-keygen -f ~/.ssh/solar-protocol
 
-This will make sure people can only access the website
+Add the key to your keychain, using the password you just gave
 
-    sudo ufw allow ssh
-    sudo ufw allow http comment "Solar Protocol"
-    sudo ufw allow http-alt comment "Solar Protocol (alt)"
-    sudo ufw allow https comment "Solar Protocol"
-    sudo ufw allow 8443 comment "Solar Protocol (alt)"
-    sudo ufw enable
-    sudo ufw status
+    ssh-add ~/.ssh/solar-protocol
 
-## Forward ports from your router to the raspberry pi
+Install it to the raspberry pi - use the regular password
 
-It is strongly recommended to do this only after key-based authentication has been enabled and password authentication has be disabled.
+    ssh-copy-id -i ~/.ssh/solar-protocol [email protected]
+
+Connect to the pi - there should be no password prompt here
 
-Open and forward these ports on your router
+    ssh [email protected]
 
-* 443 -> 443 (https)
-* 80 -> 80 (http)
+Once connected, disable password authentication
 
-If your home internet does not allow people to connect on ports 443 or 80, you can use these alternative ports
+    sudo ./disable-ssh-password-auth
 
-* 8443 -> 443 (alt-https)
-* 8080 -> 80 (alt-http)
-* 2222 -> 22 (For SSH)
-
-## Add SSL Certificates
+## Secure firewall and website
 
-Reach out to a network admin, who will follow the instructions in [network/ssl-management.md]()
+Once you have confirmed that key authentication works over ssh, enable the firewall
 
-## Fix permissions
-
-Set permissions for all files - this script must be run everytime you pull from the repository
+    sudo ufw enable
 
-    sh /home/pi/solar-protocol/utilities/setAllPermissions.sh
+Next, reach out to a network admin, who will follow the instructions in [network/ssl-management.md]() to add secure certificates for the website
 
 ## Join the network
 
-Enter api keys to join the network 
-
 Log in to the admin console via the browser [http://solar-protocol.local/admin]()
 
 Enter API keys and update the gateway list with appropriate credentials
 
 Enter your info on the settings page
 
+## Forward ports from your router to the raspberry pi
+
+Open and forward these ports on your router
+
+* 443 -> 443 (https)
+* 80 -> 80 (http)
+
+If your home internet does not allow people to connect on ports 443 or 80, you can use these alternative ports
+
+* 8443 -> 443 (alt-https)
+* 8080 -> 80 (alt-http)
+* 2222 -> 22 (For SSH)
+
 ## Congratulations
 
 Give yourself a big hug!

utilities/build/stage-solar/00-install-solar-protocol/01-run.sh

@@ -25,6 +25,9 @@ EOF
 #  -e 's|;date.timezone.*|date.timezone = ${{ steps.config.outputs.timezone_default }}|' \
 #  ${ROOTFS_DIR}/etc/php/8.2/apache2/php.ini
 
+# TODO: check if needed or install to @reboot cron
+# sh /home/pi/solar-protocol/utilities/setAllPermissions.sh
+
 echo 'PubkeyAcceptedAlgorithms +ssh-rsa' >> ${ROOTFS_DIR}/etc/ssh/sshd_config
 
 sed -i \
@@ -45,12 +48,26 @@ cat >> ${ROOTFS_DIR}/etc/apache2/apache2.conf <<EOF
 </Directory>
 EOF
 
+export VERSION
 rm ${ROOTFS_DIR}/etc/motd
 rm ${ROOTFS_DIR}/etc/update-motd.d/10-uname
-envsubst < files/10-hello.template > ${ROOTFS_DIR}/etc/update-motd.d/10-hello
+envsubst < files/etc/update-motd.d/10-hello.template > ${ROOTFS_DIR}/etc/update-motd.d/10-hello
 chmod a+x ${ROOTFS_DIR}/etc/update-motd.d/10-hello
-envsubst < files/20-warning.template > ${ROOTFS_DIR}/etc/update-motd.d/20-warning
-chmod a+x ${ROOTFS_DIR}/etc/update-motd.d/20-warning
+
+rm ${ROOTFS_DIR}/etc/issue
+envsubst < files/etc/issue.template > ${ROOTFS_DIR}/etc/issue
+
+cp files/etc/systemd/system/userpass.service ${ROOTFS_DIR}/etc/systemd/system/userpass.service
+mkdir -p ${ROOTFS_DIR}/usr/lib/userpass-pi
+cp files/usr/lib/userpass-pi/userpass-service ${ROOTFS_DIR}/usr/lib/userpass-pi/userpass-service
+
+on_chroot << EOF
+  systemctl disable userconfig.service
+  systemctl daemon-reload
+  systemctl enable userpass.service
+EOF
+
+cp files/home/pi/disable-ssh-password-auth ${ROOTFS_DIR}/home/pi/disable-ssh-password-auth
 
 on_chroot << EOF
   pushd /home/pi/solar-protocol

utilities/build/stage-solar/00-install-solar-protocol/files/etc/issue.template

@@ -0,0 +1 @@
+☀️ solar protocol ${VERSION} \l

utilities/build/stage-solar/00-install-solar-protocol/files/etc/systemd/system/userpass.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=User password dialog
+After=systemd-user-sessions.service
+Before=lightdm.service
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/userpass-pi/userpass-service
+StandardInput=tty
+Restart=on-failure
+TTYPath=/dev/tty8
+TTYReset=yes
+TTYVHangup=yes
+TTYVTDisallocate=yes
+[Install]
+WantedBy=multi-user.target

utilities/build/stage-solar/00-install-solar-protocol/files/etc/ufw/user.rules

@@ -0,0 +1,52 @@
+*filter
+:ufw-user-input - [0:0]
+:ufw-user-output - [0:0]
+:ufw-user-forward - [0:0]
+:ufw-before-logging-input - [0:0]
+:ufw-before-logging-output - [0:0]
+:ufw-before-logging-forward - [0:0]
+:ufw-user-logging-input - [0:0]
+:ufw-user-logging-output - [0:0]
+:ufw-user-logging-forward - [0:0]
+:ufw-after-logging-input - [0:0]
+:ufw-after-logging-output - [0:0]
+:ufw-after-logging-forward - [0:0]
+:ufw-logging-deny - [0:0]
+:ufw-logging-allow - [0:0]
+:ufw-user-limit - [0:0]
+:ufw-user-limit-accept - [0:0]
+### RULES ###
+
+### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 22 -j ACCEPT
+
+### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c
+-A ufw-user-input -p tcp --dport 80 -j ACCEPT
+
+### tuple ### allow any 8443 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c2028736563757265292028616c7429
+-A ufw-user-input -p tcp --dport 8443 -j ACCEPT
+-A ufw-user-input -p udp --dport 8443 -j ACCEPT
+
+### tuple ### allow tcp 8080 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c2028616c7429
+-A ufw-user-input -p tcp --dport 8080 -j ACCEPT
+
+### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c202873656375726529
+-A ufw-user-input -p tcp --dport 443 -j ACCEPT
+-A ufw-user-input -p udp --dport 443 -j ACCEPT
+
+### END RULES ###
+
+### LOGGING ###
+-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw-user-limit -j REJECT
+-A ufw-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT

utilities/build/stage-solar/00-install-solar-protocol/files/etc/update-motd.d/10-hello.template

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo ☀️ solar protocol ${VERSION}

utilities/build/stage-solar/00-install-solar-protocol/files/home/pi/disable-ssh-password-auth

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i -Ee 's/^#?[[:blank:]]*PubkeyAuthentication[[:blank:]]*no[[:blank:]]*$/PubkeyAuthentication yes/
+s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuthentication no/' "${ROOTFS_DIR}"/etc/ssh/sshd_config

utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+validate_password() {
+    if [ -z "$NEW_PASS" ]; then
+        echo "Password cannot be empty."
+        return 1
+    fi
+}
+
+if [ ! "$(raspi-config nonint get_boot_cli)" -eq 0 ]; then
+    return
+fi
+
+VT="$(tty | sed 's|/dev/tty||')"
+ORIG_VT="1"
+if [ -t 0 ]; then
+    chvt "$VT"
+fi
+FIRST_USER="$(getent passwd 1000 | cut -d: -f1)"
+
+while true; do
+    NEW_PASS="$(whiptail --passwordbox "Please set a password for $FIRST_USER:" 20 60 3>&1 1>&2 2>&3)"
+    if [ "$(whiptail --passwordbox "Please confirm the password:" 20 60 3>&1 1>&2 2>&3)" != "$NEW_PASS" ]; then
+        MSG="Passwords did not match"
+    elif MSG=$(validate_password); then
+        break
+    fi
+    whiptail --msgbox "$MSG" 20 60
+done
+
+echo "$FIRST_USER:$NEW_PASS" | chpasswd
+chvt "$ORIG_VT"