# Introduction `systemd-first-boot-script` is a set of scripts to configure GNU+Linux systems at first boot. ## Purpose Setting up pre-configured virtual machines or GNU+Linux system is easy. Sharing them to other people involves sharing credentials, which is not a good thing from security point of view. This set of scripts allows running several configuration programs in order to: - reset SSH server keys - change root password - change main user password (which is supposed to be in sudoers group) - create a new user within sudoers group - change machine name - display connection information (or anything else) A skeleton is provided to create one's own scripts. ## Deployment The target machine should have a working `ssh` server. The preparation of script is done on another machine (local machine e.g.) from which the script can be sent using a synchronization script. Actually, this prevent from installing `git` on the target machine (which is not wanted for some systems). # Installation and configuration Clone this directory on your local machine. ## Configuration Copy `sync.data.example` to `sync.data` : ```bash cp sync.data.example sync.data ``` Edit `sync.data` with credential for target machine (using `ssh` keys is recommended but not mandatory). ## Deployment ### Remote copy Run synchronization script from local machine: ```bash ./dosync.sh ``` All files should be copied on the target machine ### On target machine Everything here should be run as super-user (or with `sudo`). From the synced directory, run the deployment script: ```bash cd install-systemd-first-boot-script # or the name you chose in sync.data ./deploy ``` All files are copied to `/etc/first-boot/` Select the files to be executed in `/etc/first-boot/scripts` (here is selected a subset of available scripts) : ```bash cd /etc/first-boot/scripts chmod -x * chmod +x 01-renew-ssh-keys 02-password 03-user-password 50-hostname ``` Check the permissions are correct (only scripts with execution permission will be run): ```bash ls -l /etc/first-boot/scripts -rwxr-xr-x@ 1 root root 625 10 oct 10:59 01-renew-ssh-keys -rwxr-xr-x@ 1 root root 581 10 oct 10:59 02-password -rwxr-xr-x@ 1 root root 662 10 oct 11:01 03-user-password -rw-r--r--@ 1 root root 1114 10 oct 11:08 04-create-default-user -rwxr-xr-x 1 root root 660 10 oct 11:09 50-hostname -rw-r--r--@ 1 root root 732 11 oct 15:42 90-display-ip -rw-r--r--@ 1 root root 755 10 oct 10:59 skeleton ``` Now the machine is ready to be rebooted. ### Test You can test by rebooting the machine. You will have to answer to all question (it is not possible to kill process). So use passwords you know. Once is is OK for you, re-run the deployment script (this will reset the flag that indicates the script was already run): ```bash cd install-systemd-first-boot-script # or the name you chose in sync.data ./deploy ``` And check once again the permissions in `/etc/first-boot/scripts` (just to be sure, even they should not have been changed) You can now delete the installation directory (which could be recreated using the `dosync.sh` script from your local machine : ```bash cd .. rm -r install-systemd-first-boot-script ``` ## Use it ### Strong passwords Don't forget to use strong passwords on your systems ### Share your work Once ready, shutdown the system and provide it to the person who will use it: this person will have to set its own passwords at first boot. # References - [How to start a script on tty instead of asking for login in systemd? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/265014/how-to-start-a-script-on-tty-instead-of-asking-for-login-in-systemd) - [ubuntu - Run script on first boot - Server Fault](https://serverfault.com/a/853403/139286) - [How To Use Systemctl to Manage Systemd Services and Units | DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units) - [How to Create and Run New Service Units in Systemd Using Shell Script](https://www.tecmint.com/create-new-service-units-in-systemd/)