Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
158 commits 2 branches 3 tags 6.6 MiB
Commit graph

7 commits

Author SHA1 Message Date
Kayos
bddc15079d liberate: v0.4 — /data-only writes, no SSH hardening, usb-updater preserved 2026-03-15 08:26:21 -07:00
Kayos
1e52de52dd fix: /root read-only on Keem Bay Yocto — move SSH keys to /data/adacam/.ssh 
- authorized_keys moved to /data/adacam/.ssh/authorized_keys (writable)
- sshd AuthorizedKeysFile updated to match
- Added filesystem writability check early in script
- sshd -t check tries both sshd and /usr/sbin/sshd
 2026-03-14 21:39:15 -07:00
Kayos
e5b4e0056e fix: pre-liberation review — ssh guard, set -e safety, serial fallback, ip-change deferral, redis key fallback 
CRITICAL fixes:
- SSH hardening: guard to prevent duplicate directives, sshd -t validation before restart
- set -euo pipefail: added || true to optional commands (systemctl stop/mask, ip addr, udevadm, etc.)
- SSH survives IP change: defer all network changes to reboot via persistence service
- Serial detection: fail loudly instead of timestamp fallback
- GPS Redis keys: try multiple key names with fallback (GNSSFusion30Hz, GnssData, GnssFreqHz, gnss:latest)

IMPORTANT fixes:
- adacam-forwarder.py: signal handlers for graceful shutdown
- adacam-wigle.py: signal handlers and GPS key fallback
 2026-03-14 17:59:08 -07:00
Kayos
e01748422c feat: signed USB recovery (Option A) 
- keys/adacam-update-public.pem: RSA-4096 public key for bundle verification
  Private key: /boot/config/adacam/adacam-update-private.pem on Lucy
- services/updater/adacam-updater.sh: reference implementation of updater
- services/updater/99-adacam-usb.rules: udev rule (USB insertion trigger)
- scripts/sign-bundle.sh: create + sign a recovery bundle on Lucy
- scripts/example-bundle/install.sh: template recovery install script
- liberate.sh: Phase 5 now installs signed updater instead of just deleting
  - Hivemapper unsigned updater still removed
  - adacam-updater installed at /usr/local/bin/adacam-updater
  - verify key installed at /etc/adacam/update-verify.pem
  - udev rule installed for automatic USB trigger
  - removed duplicate usb-updater kill in boot persistence section
- keys/README.md: full key inventory, locations, usage
 2026-03-14 14:49:56 -07:00
Kayos
48d648c5f2 feat: SSH key management — built-in authorized keys, key storage docs 
- keys/adacam_authorized_key.pub: two public keys baked into liberate.sh
  (cobb@adacam + kayos@openclaw) — no env var needed for standard deployments
- liberate.sh: injects built-in keys always, ADACAM_PUBKEY still works additively
- keys/README.md: documents key locations, SSH usage, future signing story
- Private key: /boot/config/adacam/id_ed25519_adacam on Lucy (boot-persistent)
 2026-03-14 12:23:11 -07:00
Kayos
10f7c3deb8 feat: security hardening — key auth, per-device wifi, firewall, kill tunnel 2026-03-14 11:47:04 -07:00
Kayos
fc18deae49 feat: liberate.sh v0.1 
- Kills all Hivemapper services (odc-api, mitmproxy, mender, beekeeper-plugin, etc)
- Blocks Hivemapper/HERE/mender endpoints in /etc/hosts
- Reconfigures AP: 192.168.0.10 → 10.77.0.1 (avoids all common uplink conflicts)
- AP SSID: adacam-{device_suffix}, pass: adacam2026
- Installs reverse tunnel to Rackham (cobb@142.44.213.229:2222)
- Fixes LTE route metric (WiFi stays preferred)
- Fixes wlp1s0f0/wlp1s0f1 routing conflict
- Sets up /data/persist/install.sh (survives OTA)
- Writes /data/adacam/config.json

TODO: adacam-api install, per-device AP password, SSH key injection
 2026-03-14 09:05:17 -07:00