Added user services and mount-home to users in alpine-server setup.

2024-08-11 22:39:30 +02:00 · 2024-08-11 22:39:30 +02:00 · 8c37c16088
commit 8c37c16088
parent e1d8ecf625
3 changed files with 103 additions and 3 deletions
--- a/docs/alpine-server-setup/installation.md
+++ b/docs/alpine-server-setup/installation.md
@ -48,6 +48,7 @@ The other setup scripts can be used to configure key aspects of the system. Besi
 # setup-keymap us us-euro
 # setup-timezone -i <area>/<subarea>
 # setup-ntp openntpd
+# setup-sshd -c dropbear
 # rc-update add acpid default
 # rc-update add seedrng boot
 # rm -rf /var/tmp
--- a/docs/alpine-server-setup/post-install/swap.md
+++ b/docs/alpine-server-setup/post-install/swap.md
@ -12,7 +12,7 @@ Install it with:
 `zram-init` can be configured in `/etc/conf.d/zram-init`. The amount of devices and the size of zram can be changed here, for example:

 ```
-num_devices=1
+num_devices=<n>

 # swap - 500M

--- a/docs/alpine-server-setup/post-install/users.md
+++ b/docs/alpine-server-setup/post-install/users.md
@ -14,8 +14,6 @@ Configure `doas` through `/etc/doas.d/main.conf`:

 ```
 permit persist :wheel as root
-permit nopasss :_power cmd /sbin/poweroff
-permit nopasss :_power cmd /sbin/reboot
 ```

 ## Adding a user
@ -27,6 +25,14 @@ Adding a user in Alpine Linux can be done using the `setup-user` script. Here we
 # passwd <username>
 ```

+> Make sure that the home dataset is decrypted and mounted, before creating a user. 
+
+You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
+
+```
+<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
+```
+
 If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

 ```
@ -41,3 +47,96 @@ root:x:0:0:root:/root:/sbin/nologin

 ## User services

+The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user. 
+
+```
+# apk add runit
+```
+
+Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user. 
+
+```
+#!/sbin/openrc-run
+
+user="${RC_SVCNAME##*.}"
+svdir="/home/${user}/.local/service"
+pidfile="/run/runsvdir-user.${user}.pid"
+
+command="/usr/bin/runsvdir"
+command_args="$svdir"
+command_user="$user"
+command_background=true
+
+depend()
+{
+    after mount-home
+}
+```
+
+Make `/etc/init.d/runsvdir-user` an executable
+
+```
+# chmod +x /etc/init.d/runsvdir-user
+```
+
+Link the user to `/etc/init.d/runsvdir-user`
+
+```
+# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
+```
+
+Finally, add the service to the manual runlevel
+
+```
+# rc-update add runsvdir-user.<username> manual
+```
+
+> This process can of course be repeated for several users.
+
+### Mounting home
+
+Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel. 
+
+Create `/etc/init.d/mount-home`
+
+```
+#!/sbin/openrc-run
+
+depend()
+{
+    need localmount
+}
+
+start()
+{
+    zfs load-key -L prompt tank/home
+    zfs mount tank/home
+}
+
+stop()
+{
+    zfs unmount tank/home
+    zfs unload-key tank/home
+}
+```
+
+Make `/etc/init.d/mount-home` an executable
+
+```
+# chmod +x /etc/init.d/mount-home
+```
+
+Add the service to the manual runlevel
+
+```
+# rc-update add mount-home manual
+```
+
+Now the scripts can be started accordingly with
+
+```
+# openrc -n manual
+```
+
+> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.
+