- # minimal desktop on LIME2 box
- # Targets: Debian 9 (Stretch) or newer
- # Depends: boxer-data (>= 10.5.14)
- classes:
- - Console
- - Console.mouse
- - Console.editor.vim
- - Admin.etc.functions
- - Admin
- - Admin.apt.auto
- - Admin.apt.auto.upgrade
- - Admin.apt.auto.all
- - Desktop
- - Desktop.chat
- - Desktop.terminal.lxde
- - Service.scheduler.systemd
- - Hardware.motherboard.olimex.lime2
- - Hardware.harden
- - Framework.localization.limit
- - Framework.media.gstreamer.avoid
- - Framework.pkg.apt.autoremove-suggests
- - Framework.pkg.apt.avoid-removals
- - Framework.pkg.apt.aptitude.advance-on-action
- - Framework.pkg.apt.aptitude.list-suite
- - Framework.pkg.apt.proxy.reset
- - Framework.pkg.apt.source.reset
- parameters:
- doc:
- gateway:
- pkg:
- - include network management service NetworkManager
- - include Network Time (NTP) service Chrony
- - include bandwidth-saving remote shell service MoSH
- - include Pidgin plugin for Matrix protocol
- - include chat client Gajim
- - include font Terminus
- - include font Hack
- - include font Noto, hinted families
- - include emoji font SymbolA
- tweak:
- - limit video buffers (freeing memory for general use)
- - use HDMI (not serial port) as initial boot console
- - (re)set ethernet devices to use dhcp, and mDNS
- - enable Domain name (DNS) service systemd-resolved
- - use Cloudflare (not Google) fallback DNS resolvers
- - enable multicast DNS
- - use static IPs as fallback with NTP to avoid DNSSEC deadlock
- - tell urxvt to use 24pt fonts, Terminus 32pt or indic Noto Sans
- - tell urxvt to omit scrollbar
- - adapt default settings for console file manager Midnight Commander
- - create local systemd service to create SSH host keys if missing
- - clear content of /etc/machine-id
- - remove SSH host keys
- pkg:
- - chrony
- - iproute2
- - iw
- - wpasupplicant
- - modemmanager
- - wifi-radar
- - mosh
- - debconf-utils
- - iftop
- - locales
- - sudo
- - gajim
- - purple-matrix
- - xfonts-terminus
- - fonts-hack-otf
- - fonts-noto-hinted
- - fonts-symbola
- - rxvt-unicode
- tweak:
- - >
- _setappendvar /target/etc/default/flash-kernel \
- LINUX_KERNEL_CMDLINE_DEFAULTS \
- '"sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_fb_mem_reserve=16"'
- - >
- file=/target/etc/flash-kernel/bootscript/bootscr.sunxi;\
- _backup "$file";\
- sed -i -r -e '2asetenv console tty0\''n' "$file"
- - >
- file=/target/etc/systemd/network/90-dhcp.network;\
- _backup "$file";\
- echo '[Match]' > "$file";\
- echo 'Name=eth* en* wl*' >> "$file";\
- echo '' >> "$file";\
- echo '[Network]' >> "$file";\
- echo 'DHCP=yes' >> "$file";\
- echo 'IPv6PrivacyExtensions=' >> "$file"
- - systemctl enable systemd-networkd
- - >
- dir=/target/etc/systemd/resolved.conf.d;\
- mkdir -p "$dir";\
- file="$dir/local.conf";\
- echo '[Resolve]' > "$file";\
- echo 'FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111,2606:4700:4700::1001' >> "$file";\
- echo 'MulticastDNS=yes' >> "$file"
- - systemctl enable systemd-resolved
- - >
- ln -sfT ../run/systemd/resolve/stub-resolv.conf \
- /target/etc/resolv.conf
- - >
- file=/target/etc/chrony/chrony.conf;\
- _backup "$file";\
- echo 'pool 2.debian.pool.ntp.org iburst' > "$file";\
- echo '# include static IPs (once expanded from above) to avoid DNSSEC deadlock' >> "$file";\
- echo 'server 195.137.195.251 iburst' >> "$file";\
- echo 'server 158.248.189.11 iburst' >> "$file";\
- echo 'server 193.104.228.123 iburst' >> "$file";\
- echo 'server 195.137.195.252 iburst' >> "$file";\
- echo 'server 2001:ac8:37::40 iburst' >> "$file";\
- echo 'server 2001:67c:28c8:12::123 iburst' >> "$file";\
- echo 'server 2a00:1b70:1200:1::123 iburst' >> "$file";\
- echo 'server 2001:67c:564::12 iburst' >> "$file"
- - >
- _setappendline /target/etc/X11/Xresources/local-font-terminus \
- 'Rxvt*font: terminus-32,xft:Noto Sans Devanagari:pixelsize=32:Noto Sans Malayalam:pixelsize=32:Noto Sans Kannada:pixelsize=32:'
- - >
- _setappendline /target/etc/X11/Xresources/local-font-terminus \
- 'Rxvt*boldFont: terminus-bold-32,xft:Noto Sans Devanagari:bold:pixelsize=32:Noto Sans Malayalam:bold:pixelsize=32:Noto Sans Kannada:bold:pixelsize=32:'
- - >
- _setappendline /target/etc/X11/Xresources/local-font-terminus \
- 'Rxvt*italicFont: xft:Hack:italic:pixelsize=32,xft:Noto Sans Devanagari:italic:pixelsize=32:Noto Sans Malayalam:italic:pixelsize=32:Noto Sans Kannada:italic:pixelsize=32:'
- - >
- _setappendline /target/etc/X11/Xresources/local-font-terminus \
- 'Rxvt*boldItalicFont: xft:Hack:bold:italic:pixelsize=32,xft:Noto Sans Devanagari:bold:italic:pixelsize=32:Noto Sans Malayalam:bold:italic:pixelsize=32:Noto Sans Kannada:bold:italic:pixelsize=32:'
- - >
- _setappendline /target/etc/X11/Xresources/local-tweaks \
- 'Rxvt*scrollBar: False'
- - >
- file=/target/etc/mc/mc.ini;\
- _backup "$file";\
- echo '[Midnight-Commander]' > "$file";\
- echo 'auto_save_setup=false' >> "$file";\
- echo 'use_internal_view=true' >> "$file";\
- echo 'use_internal_edit=true' >> "$file";\
- echo 'num_history_items_recorded=200' >> "$file";\
- echo 'editor_option_save_mode=false' >> "$file";\
- echo 'editor_show_right_margin=false' >> "$file";\
- echo 'skin=dark' >> "$file";\
- echo '' >> "$file";\
- echo '[Panels]' >> "$file";\
- echo 'navigate_with_arrows=true' >> "$file";\
- echo '' >> "$file";\
- echo '[Layout]' >> "$file";\
- echo 'message_visible=false' >> "$file";\
- echo 'menubar_visible=false' >> "$file"
- - >
- file=/target/usr/local/sbin/gen-sshd-host-keys;\
- echo '#!/bin/sh' > "$file";\
- echo '#' >> "$file";\
- echo '# Generate missing ssh host keys' >> "$file";\
- echo '# code copied from openssh-server postinst to address' >> "$file";\
- echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
- echo '' >> "$file";\
- echo '# Copyright: 2018 Purism SPC' >> "$file";\
- echo '# License: BSD-2-clause' >> "$file";\
- echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
- echo '# modification, are permitted provided that the following conditions' >> "$file";\
- echo '# are met:' >> "$file";\
- echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
- echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
- echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
- echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
- echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
- echo '# .' >> "$file";\
- echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
- echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
- echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
- echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
- echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
- echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
- echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
- echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
- echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
- echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
- echo '' >> "$file";\
- echo 'set -e' >> "$file";\
- echo '' >> "$file";\
- echo 'export LC_ALL=C.UTF-8' >> "$file";\
- echo '' >> "$file";\
- echo 'get_config_option() {' >> "$file";\
- echo ' option="$1"' >> "$file";\
- echo '' >> "$file";\
- echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
- echo '' >> "$file";\
- echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
- echo ' perl -lne '"'" >> "$file";\
- echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
- echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
- echo ' /etc/ssh/sshd_config' >> "$file";\
- echo '}' >> "$file";\
- echo '' >> "$file";\
- echo '' >> "$file";\
- echo 'host_keys_required() {' >> "$file";\
- echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
- echo ' if [ "$hostkeys" ]; then' >> "$file";\
- echo ' echo "$hostkeys"' >> "$file";\
- echo ' else' >> "$file";\
- echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
- echo ' # defaults.' >> "$file";\
- echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
- echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
- echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
- echo ' fi' >> "$file";\
- echo '}' >> "$file";\
- echo '' >> "$file";\
- echo 'create_key() {' >> "$file";\
- echo ' msg="$1"' >> "$file";\
- echo ' shift' >> "$file";\
- echo ' hostkeys="$1"' >> "$file";\
- echo ' shift' >> "$file";\
- echo ' file="$1"' >> "$file";\
- echo ' shift' >> "$file";\
- echo '' >> "$file";\
- echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
- echo ' [ ! -f "$file" ] ; then' >> "$file";\
- echo ' printf "%s" "$msg"' >> "$file";\
- echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
- echo ' echo' >> "$file";\
- echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
- echo ' restorecon "$file" "$file.pub"' >> "$file";\
- echo ' fi' >> "$file";\
- echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
- echo ' fi' >> "$file";\
- echo '}' >> "$file";\
- echo '' >> "$file";\
- echo '' >> "$file";\
- echo 'create_keys() {' >> "$file";\
- echo ' hostkeys="$(host_keys_required)"' >> "$file";\
- echo '' >> "$file";\
- echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
- echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
- echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
- echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
- echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
- echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
- echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
- echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
- echo '}' >> "$file";\
- echo '' >> "$file";\
- echo 'create_keys' >> "$file";\
- echo 'service ssh force-reload' >> "$file";\
- chmod a+x "$file"
- - >
- file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
- echo '[Unit]' > "$file";\
- echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
- echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
- echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
- echo 'Before=ssh.service' >> "$file";\
- echo 'Before=ssh.socket' >> "$file";\
- echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
- echo '' >> "$file";\
- echo '[Service]' >> "$file";\
- echo 'Type=oneshot' >> "$file";\
- echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
- echo 'ExecStop=/bin/true' >> "$file";\
- echo '' >> "$file";\
- echo '[Install]' >> "$file";\
- echo 'WantedBy=ssh.service' >> "$file";\
- echo 'WantedBy=ssh.socket' >> "$file"
- - systemctl enable gen-sshd-host-keys
- - echo > /target/etc/machine-id
- - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
- - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
|