variant: fcos version: 1.5.0 passwd: users: - name: root password_hash: "{{ vm_password | password_hash('sha512') }}" ssh_authorized_keys: - "{{ lookup('file', vm_ssh_public_key) | trim }}" storage: files: - path: /etc/ssh/sshd_config.d/permit_root_login.conf mode: 0644 contents: inline: PermitRootLogin yes systemd: units: # 1. Einmaliger Dienst, der das Subvolume "@home" physisch auf der Platte anlegt - name: create-home-subvolume.service enabled: true contents: | [Unit] Description=Create Btrfs Subvolume for Home (Once) After=local-fs-pre.target Before=home.mount [Service] Type=oneshot ExecStartPre=/usr/bin/mkdir -p /run/mnt-root-init ExecStartPre=/usr/bin/mount -o subvolid=5 /dev/disk/by-label/ROOT /run/mnt-root-init # Hier werden die Subvolumes @home angelegt, falls sie nicht existieren ExecStart=/usr/bin/bash -c "for sub in @home; do [ -d /run/mnt-root-init/\$$sub ] || /usr/sbin/btrfs subvolume create /run/mnt-root-init/$$sub; done" ExecStartPost=/usr/bin/umount /run/mnt-root-init ExecStartPost=/usr/bin/rmdir /run/mnt-root-init RemainAfterExit=true [Install] RequiredBy=home.mount # Der Name der Unit MUSS exakt dem Pfad entsprechen (aus /home wird home.mount) - name: home.mount enabled: true contents: | [Unit] Description=Mount Separates Home Laufwerk Before=local-fs.target [Mount] What=/dev/disk/by-label/ROOT Where=/home Type=btrfs Options=defaults,subvol=@home [Install] WantedBy=local-fs.target # HIER wird der zusätzliche User sicher angelegt, NACHDEM /home gemountet ist - name: create-custom-users.service enabled: true contents: | [Unit] Description=Create Additional System Users safely after Mounts After=home.mount Requires=home.mount Before=multi-user.target [Service] Type=oneshot # Legt den User an, setzt das Home-Verzeichnis, fügt ihn zu wheel (sudo) hinzu und setzt den SSH Key ExecStart=/usr/bin/bash -c "\ /usr/sbin/useradd -m -s /bin/bash {{ vm_user }} && \ /usr/sbin/usermod -p '{{ vm_password | password_hash('sha512') }}' {{ vm_user }} && \ /usr/bin/mkdir -p /home/{{ vm_user }}/.ssh && \ /usr/bin/echo '{{ lookup('file', vm_ssh_public_key) | trim }}' > /home/{{ vm_user }}/.ssh/authorized_keys && \ /usr/bin/chown -R {{ vm_user }}:{{ vm_user }} /home/{{ vm_user }}/.ssh && \ /usr/bin/chmod 700 /home/{{ vm_user }}/.ssh && \ /usr/bin/chmod 600 /home/{{ vm_user }}/.ssh/authorized_keys" RemainAfterExit=true [Install] WantedBy=multi-user.target