diff options
| author | Daniel Graña | 2023-12-12 18:47:29 -0300 |
|---|---|---|
| committer | Daniel Graña | 2023-12-12 18:47:29 -0300 |
| commit | cbd39f085c9d4a59d442424a66cb968fd887ded0 (patch) | |
| tree | 4530b3e5391fe3c94d5fc741c1f82b5b50586532 | |
| parent | 1d57cd9fb34e2b85406fdd860099c7a3ddfb194f (diff) | |
| download | aur-cbd39f085c9d4a59d442424a66cb968fd887ded0.tar.gz | |
Add README and Makefile plus update checksums
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | Makefile | 16 | ||||
| -rw-r--r-- | PKGBUILD | 3 | ||||
| -rw-r--r-- | README.md | 73 |
4 files changed, 93 insertions, 3 deletions
@@ -8,7 +8,7 @@ pkgbase = mkinitcpio-tailscale depends = mkinitcpio source = sd-tailscale source = setup-initcpio-tailscale - sha256sums = SKIP - sha256sums = SKIP + sha256sums = c57ea49b3dd783b0b127e1e795edc048df4caa6928100f7f0483e8167ac3fb40 + sha256sums = 2630df3dadb9679cf8f9c38f8974e9f3f5be6c9a5694963104386d652e03eea8 pkgname = mkinitcpio-tailscale diff --git a/Makefile b/Makefile new file mode 100644 index 000000000000..8de844eca7ca --- /dev/null +++ b/Makefile @@ -0,0 +1,16 @@ + +.PHONY: update + +update: checksums srcinfo + +checksums: + updpkgsums + +srcinfo: + makepkg --printsrcinfo >.SRCINFO + +build: update + makepkg -cCf + +install: update + makepkg -icCf @@ -9,7 +9,8 @@ url="https://github.com/dangra/mkinitcpio-tailscale" license=("GPL-2.0-or-later") depends=("mkinitcpio") source=("sd-tailscale" "setup-initcpio-tailscale") -sha256sums=(SKIP SKIP) +sha256sums=('c57ea49b3dd783b0b127e1e795edc048df4caa6928100f7f0483e8167ac3fb40' + '2630df3dadb9679cf8f9c38f8974e9f3f5be6c9a5694963104386d652e03eea8') package() { install -m 755 -D ${srcdir}/setup-initcpio-tailscale ${pkgdir}/usr/bin/setup-initcpio-tailscale diff --git a/README.md b/README.md new file mode 100644 index 000000000000..7158b7f03def --- /dev/null +++ b/README.md @@ -0,0 +1,73 @@ +# mkinitcpio-tailscale + +Provide a [mkinitcpio][1] hook to connect to a [Tailscale][2] network at boot, from within +the initramfs also known as the early userspace environment, just before handing over +the control to the final rootfs. + +This hook is extremely handy for remote unlocking systems with an encrypted root filesystem. +Read the Archlinux Wiki on how to configure mkinitcpio to [decrypt the rootfs on boot][3] and +how to add a ssh server to [remotely unlock it][4]. + +[1]: https://wiki.archlinux.org/title/Mkinitcpio +[2]: https://tailscale.com +[3]: https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Configuring_mkinitcpio_2 +[4]: https://wiki.archlinux.org/title/Dm-crypt/Specialties#systemd_based_initramfs_(built_with_mkinitcpio) + +Combined that with running the Tailscale service and you get an very secure VPN access from anywhere +without having to open the ssh port to the world. + +## Installation + +``` +yay -S mkinitcpio-tailscale +``` + +## Configure + +Edit /etc/mkinitcpio.conf and add `sd-tailscale` to HOOKS array, i.e: + +> HOOKS=(base **systemd** keyboard autodetect keymap modconf sd-vconsole *sd-network* *sd-resolve* *sd-tinyssh* **sd-tailscale** block sd-encrypt filesystems fsck) + +**NOTE**: In above HOOKS line there are three hooks provided by mkinitcpio-systemd-extras package: `sd-network`, `sd-resolve` and `sd-tinyssh`. + Even if you can get the early boot network configuration working without them, it is much simpler this way. + +*IMPORTANT*: This hook doesn't work with mkinitcpio configurations that uses `udev` hook instead of `systemd` + +Once the hook is configured, run `setup-initcpio-tailscale` (as a normal user) and follow the instructions to register the node to your tailscale account. +The script will register a tailscale node with a hostname derived from the host system, let say the host is named `homeserver`, the +tailscale node will be registered as `homeserver-initrd`; that makes it easier to identify the node in Tailscale panel. + +## Security Considerations + +The *Tailscale node key* will be stored in plain text inside the initramfs. Even if the root filesystem is encrypted, remember that the initramfs isn't. +Someone with physical access to the node could steal the tailscale keys and attempt to log into the tailscale network impersonating the node the keys were created for. + +To minimize the attack surface, we can limit the initramfs tailscale node to only accept incoming connections by addding the +following [Tailscale ACL](https://login.tailscale.com/admin/acls) and tag clients, servers and initrd nodes accordinglly +using the [Tailscale Machines](https://login.tailscale.com/admin/machines) panel. + + +```json +{ + "tagOwners": { + "tag:initrd": ["autogroup:admin"], + "tag:client": ["autogroup:admin"], + "tag:server": ["autogroup:admin"], + }, + + "acls": [ + {"action": "accept", "src": ["tag:client"], "dst": ["*:*"]}, + {"action": "accept", "src": ["tag:server"], "dst": ["tag:server:*"]}, + ], +} +``` + +Even if the attacker manages to get the node keys, it won't be able to escalate into your tailscale network and all other nodes will be unreacheable. + + +## Prior work and big thanks + +* @tavianator and his early work on https://gist.github.com/tavianator/6b00355cedae0b2ceb338e43ce8e5c1a +* @karepker for a very detailed rootfs unlocking on [Raspeberry Pi + Archlinux](https://karepker.com/raspberry-pi/) +* @classabbyamp for a similar [mkinitcpio hook](https://github.com/classabbyamp/mkinitcpio-tailscale) for non systemd initramfs on Void Linux +* @wolegis for [mkinitcpio-systemd-extras](https://github.com/wolegis/mkinitcpio-systemd-extras/) that served as major inspiration for my systemd hook |