Initial commit

files/apt/02nocache

@@ -0,0 +1,2 @@
+Dir::Cache::pkgcache "";
+Dir::Cache::srcpkgcache "";

files/apt/03compress

@@ -0,0 +1,2 @@
+Acquire::GzipIndexes "true";
+Acquire::CompressionTypes::Order:: "gz";

files/apt/04norecommends

@@ -0,0 +1,2 @@
+APT::Install-Suggests "0";
+APT::Install-Recommends "0";

files/apt/10proxy

@@ -0,0 +1 @@
+Acquire::http:Proxy "";

files/apt/sources.list

@@ -0,0 +1,8 @@
+deb http://debian.proxad.net/debian/ trixie main contrib non-free non-free-firmware
+#deb-src http://ftp.debian.org/debian trixie main contrib
+
+deb http://debian.proxad.net/debian/ trixie-updates main contrib non-free non-free-firmware
+#deb-src http://ftp.debian.org/debian/ trixie-updates main contrib
+
+deb http://security.debian.org/debian-security trixie-security main contrib non-free
+#deb-src http://security.debian.org/ trixie/updates main contrib non-free-firmware

files/boot/config.txt

@@ -0,0 +1,43 @@
+# For more options and information see
+# http://www.raspberrypi.org/documentation/configuration/config-txt.md
+# Some settings may impact device functionality. See link above for details
+
+# uncomment if you get no picture on HDMI for a default "safe" mode
+#hdmi_safe=1
+
+# uncomment this if your display has a black border of unused pixels visible
+# and your display can output without overscan
+#disable_overscan=1
+
+# uncomment the following to adjust overscan. Use positive numbers if console
+# goes off screen, and negative if there is too much border
+#overscan_left=16
+#overscan_right=16
+#overscan_top=16
+#overscan_bottom=16
+
+# uncomment to force a console size. By default it will be display's size minus
+# overscan.
+#framebuffer_width=1280
+#framebuffer_height=720
+
+# uncomment if hdmi display is not detected and composite is being output
+#hdmi_force_hotplug=1
+
+# uncomment to force a specific HDMI mode (this will force VGA)
+#hdmi_group=1
+#hdmi_mode=1
+
+# uncomment to force a HDMI mode rather than DVI. This can make audio work in
+# DMT (computer monitor) modes
+#hdmi_drive=2
+
+# uncomment to increase signal to HDMI, if you have interference, blanking, or
+# no display
+#config_hdmi_boost=4
+
+# uncomment for composite PAL
+#sdtv_mode=2
+
+# uncomment to overclock the arm. 700 MHz is the default.
+#arm_freq=800

files/boot/uboot.mkimage

@@ -0,0 +1,16 @@
+# Set device tree fdtfile
+setenv dtbfile bcm2709-rpi-2-b.dtb
+
+# Tell Linux that it is booting on a Raspberry Pi2/3
+setenv machid 0x00000c42
+
+# Save these changes to u-boot's environment
+saveenv
+
+# Load the existing Linux kernel into RAM
+mmc dev 0
+fatload mmc 0:1 ${kernel_addr_r} kernel7.img
+fatload mmc 0:1 ${fdt_addr_r} ${dtbfile}
+fatload mmc 0:1 ${ramdisk_addr_r} ${initramfs}
+
+# Boot the kernel we have just loaded

files/dpkg/01nodoc

@@ -0,0 +1,9 @@
+path-exclude=/usr/share/doc/*
+path-include=/usr/share/doc/*/copyright
+path-exclude=/usr/share/man/*
+path-exclude=/usr/share/groff/*
+path-exclude=/usr/share/info/*
+path-exclude=/usr/share/lintian/*
+path-exclude=/usr/share/linda/*
+path-exclude=/usr/share/locale/*
+path-include=/usr/share/locale/en*

files/etc/99-com.rules

@@ -0,0 +1,33 @@
+SUBSYSTEM=="input", GROUP="input", MODE="0660"
+SUBSYSTEM=="i2c-dev", GROUP="i2c", MODE="0660"
+SUBSYSTEM=="spidev", GROUP="spi", MODE="0660"
+SUBSYSTEM=="bcm2835-gpiomem", GROUP="gpio", MODE="0660"
+
+SUBSYSTEM=="gpio", GROUP="gpio", MODE="0660"
+SUBSYSTEM=="gpio*", PROGRAM="/bin/sh -c '\
+	chown -R root:gpio /sys/class/gpio && chmod -R 770 /sys/class/gpio;\
+	chown -R root:gpio /sys/devices/virtual/gpio && chmod -R 770 /sys/devices/virtual/gpio;\
+	chown -R root:gpio /sys$devpath && chmod -R 770 /sys$devpath\
+'"
+
+KERNEL=="ttyAMA[01]", PROGRAM="/bin/sh -c '\
+	ALIASES=/proc/device-tree/aliases; \
+	if cmp -s $ALIASES/uart0 $ALIASES/serial0; then \
+		echo 0;\
+	elif cmp -s $ALIASES/uart0 $ALIASES/serial1; then \
+		echo 1; \
+	else \
+		exit 1; \
+	fi\
+'", SYMLINK+="serial%c"
+
+KERNEL=="ttyS0", PROGRAM="/bin/sh -c '\
+	ALIASES=/proc/device-tree/aliases; \
+	if cmp -s $ALIASES/uart1 $ALIASES/serial0; then \
+		echo 0; \
+	elif cmp -s $ALIASES/uart1 $ALIASES/serial1; then \
+		echo 1; \
+	else \
+		exit 1; \
+	fi \
+'", SYMLINK+="serial%c"

files/etc/rc.local

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+exit 0

files/firstboot/10-begin.sh

@@ -0,0 +1,2 @@
+#!/bin/sh -e
+logger -t "rc.firstboot" "Starting first boot actions"

files/firstboot/20-expandroot.sh

@@ -0,0 +1,68 @@
+logger -t "rc.firstboot" "Expanding root partition"
+
+# Detect root partition device
+ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
+if [ -z "$ROOT_PART" ] ; then
+  log_warning_msg "unable to detect root partition device"
+  return 1
+fi
+
+# Extract root device name
+case "${ROOT_PART}" in
+  mmcblk0*) ROOT_DEV=mmcblk0 ;;
+  sda*)     ROOT_DEV=sda ;;
+esac
+
+# Check detected root partition name
+PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
+if [ "$PART_NUM" = "$ROOT_PART" ] ; then
+  logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
+  return 0
+fi
+
+# NOTE: the NOOBS partition layout confuses parted. For now, let's only
+# agree to work with a sufficiently simple partition layout
+if [ "$PART_NUM" -gt 2 ] ; then
+  logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
+  return 0
+fi
+
+# Check if last partition number
+LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
+if [ $LAST_PART_NUM -ne $PART_NUM ]; then
+  logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
+  return 0
+fi
+
+# Get the starting offset of the root partition
+PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
+if [ -z "$PART_START" ] ; then
+  logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition"
+  return 1
+fi
+
+# Get the possible last sector for the root partition
+PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
+if [ -z "$PART_LAST" ] ; then
+  logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition"
+  return 1
+fi
+
+### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
+fdisk /dev/${ROOT_DEV} <<EOF2 || true
+p
+d
+$PART_NUM
+n
+p
+$PART_NUM
+$PART_START
+$PART_LAST
+p
+w
+EOF2
+
+# Reload the partition table, resize root filesystem then remove resizing code from this file
+partprobe &&
+  resize2fs /dev/${ROOT_PART} &&
+  logger -t "rc.firstboot" "Root partition successfully resized."

files/firstboot/21-regenerate-initramfs.sh

@@ -0,0 +1,32 @@
+logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand"
+
+KERNEL_VERSION=$(uname -r)
+KERNEL_ARCH=$(uname -m)
+INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}"
+INITRAMFS_UBOOT="${INITRAMFS}.uboot"
+
+# Extract kernel arch
+case "${KERNEL_ARCH}" in
+  arm*) KERNEL_ARCH=arm ;;
+  aarch64) KERNEL_ARCH=arm64 ;;
+esac
+
+# Regenerate initramfs
+if [ -r "${INITRAMFS}" ] ; then
+  rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
+  rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
+  rm -f /etc/initramfs-tools/hooks/expand-tools
+  rm -f "${INITRAMFS}"
+  mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
+fi
+
+# Convert generated initramfs for U-Boot using mkimage
+if [ -r "${INITRAMFS_UBOOT}" ] ; then
+  rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
+  rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
+  rm -f /etc/initramfs-tools/hooks/expand-tools
+  rm -f "${INITRAMFS_UBOOT}"
+  mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
+  mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}"
+  rm -f "${INITRAMFS}"
+fi

files/firstboot/23-restart-dphys-swapfile.sh

@@ -0,0 +1,5 @@
+# Restart dphys-swapfile service if it exists
+logger -t "rc.firstboot" "Restarting dphys-swapfile"
+
+systemctl enable dphys-swapfile
+systemctl restart dphys-swapfile

files/firstboot/30-generate-ssh-keys.sh

@@ -0,0 +1,26 @@
+logger -t "rc.firstboot" "Generating SSH host keys"
+
+if [ -d "/etc/ssh/" ] ; then
+  # Remove ssh host keys
+  rm -f /etc/ssh/ssh_host_*
+  systemctl stop sshd
+
+  # Regenerate ssh host keys
+  ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
+  ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
+  ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
+  ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
+  systemctl start sshd
+fi
+
+if [ -d "/etc/dropbear/" ] ; then
+  # Remove ssh host keys
+  rm -f /etc/dropbear/dropbear_*
+  systemctl stop dropbear
+
+  # Regenerate ssh host keys
+  dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+  dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
+  dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+  systemctl start dropbear
+fi

files/firstboot/40-generate-machineid.sh

@@ -0,0 +1,3 @@
+logger -t "rc.firstboot" "Generating D-Bus machine-id"
+rm -f /var/lib/dbus/machine-id 
+dbus-uuidgen --ensure

files/firstboot/41-create-resolv-symlink.sh

@@ -0,0 +1,18 @@
+logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink"
+
+# Check if systemd resolve directory exists
+if [ ! -d "/run/systemd/resolve" -a ! -e "/etc/resolv.conf" ] ; then
+  systemctl enable systemd-resolved.service
+  systemctl restart systemd-resolved.service
+fi
+
+# Create resolv.conf file if it does not exists
+if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then
+  touch /run/systemd/resolve/resolv.conf
+fi
+
+# Create symlink to /etc/reolv.conf if not exists yet
+if [ ! -e "/etc/resolv.conf" ] ; then
+  ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
+fi
+

files/firstboot/42-config-ifnames.sh

@@ -0,0 +1,32 @@
+logger -t "rc.firstboot" "Configuring network interface name"
+
+INTERFACE_NAME_ETH=$(dmesg | grep "renamed from eth0" | awk -F ":| " '{ print $9 }')
+INTERFACE_NAME_WIFI=$(dmesg | grep "renamed from wlan0" | awk -F ":| " '{ print $9 }')
+
+if [ ! -z INTERFACE_NAME_ETH ] ; then
+  if [ -r "/etc/systemd/network/eth0.network" ] ; then
+    sed -i "s/eth0/${INTERFACE_NAME_ETH}/" /etc/systemd/network/eth0.network
+  fi
+
+  if [ -r "/lib/systemd/network/10-eth0.network" ] ; then
+    sed -i "s/eth0/${INTERFACE_NAME_ETH}/" /lib/systemd/network/10-eth0.network
+  fi
+  # Move config to new interface name
+  mv /etc/systemd/network/eth0.network /etc/systemd/network/"${INTERFACE_NAME_ETH}".network
+fi
+
+if [ ! -z INTERFACE_NAME_WIFI ] ; then
+  if [ -r "/etc/systemd/network/wlan0.network" ] ; then
+    sed -i "s/wlan0/${INTERFACE_NAME_WIFI}/" /etc/systemd/network/wlan0.network
+  fi
+
+  if [ -r "/lib/systemd/network/11-wlan0.network" ] ; then
+    sed -i "s/wlan0/${INTERFACE_NAME_WIFI}/" /lib/systemd/network/11-wlan0.network
+  fi
+  # Move config to new interface name
+  mv /etc/systemd/network/wlan0.network /etc/systemd/network/"${INTERFACE_NAME_WIFI}".network
+  
+  systemctl disable wpa_supplicant@wlan0.service 
+  systemctl enable wpa_supplicant@"${INTERFACE_NAME_WIFI}".service 
+  systemctl start wpa_supplicant@"${INTERFACE_NAME_WIFI}".service 
+fi

files/firstboot/99-finish.sh

@@ -0,0 +1,7 @@
+logger -t "rc.firstboot" "Reload systemd manager configuration"
+systemctl daemon-reload
+systemctl restart networking.service
+systemctl restart systemd-networkd.service
+logger -t "rc.firstboot" "First boot actions finished"
+rm -f /etc/rc.firstboot
+sed -i '/.*rc.firstboot/d' /etc/rc.local

files/initramfs/crypt_unlock.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+PREREQ="dropbear"
+
+prereqs() {
+echo "$PREREQ"
+}
+
+case "$1" in
+prereqs)
+prereqs
+exit 0
+;;
+esac
+
+. "${CONFDIR}/initramfs.conf"
+. /usr/share/initramfs-tools/hook-functions
+
+if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
+cat > "${DESTDIR}/bin/unlock" << EOF
+#!/bin/sh
+if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
+kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
+# following line kill the remote shell right after the passphrase has
+# been entered.
+kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
+exit 0
+fi
+exit 1
+EOF
+
+chmod 755 "${DESTDIR}/bin/unlock"
+
+mkdir -p "${DESTDIR}/lib/unlock"
+cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
+#!/bin/sh
+[ "\$1" == "--ping" ] && exit 1
+/bin/plymouth "\$@"
+EOF
+
+chmod 755 "${DESTDIR}/lib/unlock/plymouth"
+
+echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
+
+fi

files/initramfs/expand-premount

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+# Check for cryptdevice variable
+if [ -z "$cryptdevice" ] ; then
+  echo "unable to get cryptdevice variable (local-premount)"
+  exit 1
+fi
+
+if [ -n "$ROOT" ] ; then
+  # Resize encrypted root partition
+  cryptsetup resize "${ROOT}"
+  e2fsck -fp "${ROOT}"
+  resize2fs -f "${ROOT}"
+  e2fsck -fp "${ROOT}"
+fi
+
+exit 0

files/initramfs/expand-tools

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+# Use initramfs utility functions
+. /usr/share/initramfs-tools/hook-functions
+
+# Add binaries required for resizing the filesystem
+copy_exec /bin/grep /bin
+copy_exec /usr/bin/awk /bin
+copy_exec /usr/bin/cut /bin
+copy_exec /usr/bin/tail /bin
+copy_exec /sbin/fdisk /sbin
+copy_exec /sbin/parted /sbin
+copy_exec /sbin/e2fsck /sbin
+copy_exec /sbin/resize2fs /sbin
+copy_exec /sbin/partprobe /sbin
+
+exit 0

files/initramfs/expand_encrypted_rootfs

@@ -0,0 +1,96 @@
+#!/bin/sh
+# expand_encrypted_rootfs initramfs-tools boot script
+
+# dependencies: grep awk cut tail fdisk parted e2fsck resize2fs
+
+set -e
+
+# Wait for USB devices to be ready
+sleep 5
+
+# Use initramfs utility functions
+if [ -r "/scripts/functions" ] ; then
+  . /scripts/functions
+fi
+
+# Check for cryptdevice variable
+if [ -z "$cryptdevice" ] ; then
+  echo "unable to get cryptdevice variable (init-premount)"
+  return 1
+fi
+
+# Detect root partition device
+ROOT_PART=$(echo $cryptdevice | awk -F"/|:" '{ print $3 }')
+if [ -z "$ROOT_PART" ] ; then
+  log_warning_msg "unable to detect encrypted root partition device (cryptdevice)"
+  return 1
+fi
+
+# Extract root device name
+case "${ROOT_PART}" in
+  mmcblk0*) ROOT_DEV=mmcblk0 ;;
+  sda*)     ROOT_DEV=sda ;;
+esac
+
+# Check detected root partition name
+PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
+if [ "$PART_NUM" = "$ROOT_PART" ] ; then
+  log_warning_msg "$ROOT_PART is not an SD card. Don't know how to expand"
+  return 1
+fi
+
+# NOTE: the NOOBS partition layout confuses parted. For now, let's only
+# agree to work with a sufficiently simple partition layout
+if [ "$PART_NUM" -gt 2 ] ; then
+  log_warning_msg "Your partition layout is not currently supported by this tool."
+  return 1
+fi
+
+# Check if last partition number
+LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
+if [ $LAST_PART_NUM -ne $PART_NUM ]; then
+  log_warning_msg "$ROOT_PART is not the last partition. Don't know how to expand"
+  return 1
+fi
+
+# Get the starting offset of the root partition
+PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
+if [ -z "$PART_START" ] ; then
+  log_warning_msg "${ROOT_DEV} unable to get starting sector of the partition"
+  return 1
+fi
+
+# Get the current last sector of the root partition
+PART_END=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 3 -d: | sed 's/[^0-9]//g')
+if [ -z "$PART_END" ] ; then
+  log_warning_msg "${ROOT_DEV} unable to get last sector of the partition"
+  return 1
+fi
+
+# Get the possible last sector for the root partition
+PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
+if [ -z "$PART_LAST" ] ; then
+  log_warning_msg "${ROOT_DEV} unable to get last possible sector of the partition"
+  return 1
+fi
+
+### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
+if [ $PART_END != $PART_LAST ] ; then
+  fdisk /dev/${ROOT_DEV} 2> /dev/null <<EOF2 || true
+p
+d
+$PART_NUM
+n
+p
+$PART_NUM
+$PART_START
+$PART_LAST
+p
+w
+EOF2
+
+  partprobe
+  log_success_msg "Root partition successfully resized."
+else
+  log_success_msg "Root partition already resized."
+fi

files/iptables/flush-ip6tables.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+
+for table in $(</proc/net/ip6_tables_names)
+do
+  ip6tables -t \$table -F
+  ip6tables -t \$table -X
+  ip6tables -t \$table -Z
+done
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT

files/iptables/flush-iptables.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT

files/iptables/ip6tables.rules

@@ -0,0 +1,48 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Drop packets with RH0 headers
+-A INPUT -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+
+# Rate limit ping requests
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT

files/iptables/ip6tables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore -w 5 /etc/iptables/ip6tables.rules
+ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/etc/iptables/flush-ip6tables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

files/iptables/iptables.rules

@@ -0,0 +1,43 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Rate limit ping requests
+-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-rst
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT

files/iptables/iptables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore -w 5 /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

files/iptables/nftables.rules

@@ -0,0 +1,21 @@
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add chain ip filter TCP
+add chain ip filter UDP
+add chain ip filter SSH
+add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
+add rule ip filter INPUT icmp type echo-request counter drop
+add rule ip filter INPUT ct state related,established counter accept
+add rule ip filter INPUT iifname lo counter accept
+add rule ip filter INPUT ct state invalid counter drop
+add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
+add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip filter INPUT ip protocol udp counter reject
+add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
+add rule ip filter INPUT counter reject with icmp type prot-unreachable

files/iptables/nftables6.rules

@@ -0,0 +1,24 @@
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; }
+add chain ip6 filter TCP
+add chain ip6 filter UDP
+add chain ip6 filter SSH
+add rule ip6 filter INPUT rt type 0 counter drop
+add rule ip6 filter OUTPUT rt type 0 counter drop
+add rule ip6 filter FORWARD rt type 0 counter drop
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  limit rate 30/minute burst 8 packets counter accept
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  counter drop
+add rule ip6 filter INPUT ct state related,established counter accept
+add rule ip6 filter INPUT iifname lo counter accept
+add rule ip6 filter INPUT ct state invalid counter drop
+add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
+add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited

files/locales/locale

@@ -0,0 +1,3 @@
+# File generated by rpi23-gen-image
+LANG=C
+LC_ALL=C

files/modules/raspi-blacklist.conf

@@ -0,0 +1,9 @@
+blacklist snd_soc_core
+blacklist snd_pcm
+blacklist snd_pcm_dmaengine
+blacklist snd_timer
+blacklist snd_compress
+blacklist snd_soc_pcm512x_i2c
+blacklist snd_soc_pcm512x
+blacklist snd_soc_tas5713
+blacklist snd_soc_wm8804

files/modules/rpi2.conf

@@ -0,0 +1,5 @@
+# bcm2708_rng
+# snd_bcm2835
+# i2c-bcm2708
+# i2c-dev
+# rtc-ds1307

files/mount/crypttab

@@ -0,0 +1 @@
+# <target name> <source device> <key file> <options>

files/mount/fstab

@@ -0,0 +1,2 @@
+/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
+/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

files/network/eth.network

@@ -0,0 +1,12 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=no
+Address=
+Gateway=
+DNS=
+DNS=
+Domains=
+NTP=
+NTP=

files/network/eth0.network

@@ -0,0 +1,14 @@
+[Match]
+Name=eth0
+
+[Network]
+RouteMetric=10
+IPv6PrivacyExtensions=true
+DHCP=no
+Address=
+Gateway=
+DNS=
+DNS=
+Domains=
+NTP=
+NTP=

files/network/host.conf

@@ -0,0 +1,2 @@
+# spoof warn
+multi on

files/network/hostname

@@ -0,0 +1 @@
+RaspberryPI

files/network/hosts

@@ -0,0 +1,6 @@
+127.0.0.1       localhost
+127.0.1.1       RaspberryPI
+
+::1             localhost ip6-localhost ip6-loopback
+ff02::1         ip6-allnodes
+ff02::2         ip6-allrouters

files/network/interfaces

@@ -0,0 +1,2 @@
+# Debian switched to systemd-networkd configuration files.
+# please configure your networks in '/etc/systemd/network/'

files/network/wlan.network

@@ -0,0 +1,12 @@
+[Match]
+Name=wlan0
+
+[Network]
+DHCP=no
+Address=
+Gateway=
+DNS=
+DNS=
+Domains=
+NTP=
+NTP=

files/network/wlan0.network

@@ -0,0 +1,14 @@
+[Match]
+Name=wlan0
+
+[Network]
+RouteMetric=20
+IPv6PrivacyExtensions=true
+DHCP=no
+Address=
+Gateway=
+DNS=
+DNS=
+Domains=
+NTP=
+NTP=

files/sysctl.d/81-rpi-vm.conf

@@ -0,0 +1,6 @@
+# Avoid swapping and increase cache sizes
+vm.swappiness=1
+vm.dirty_background_ratio=20
+vm.dirty_ratio=40
+vm.dirty_writeback_centisecs=500
+vm.dirty_expire_centisecs=6000

files/sysctl.d/82-rpi-net-hardening.conf

@@ -0,0 +1,59 @@
+# Enable network stack hardening
+net.ipv4.tcp_timestamps=0
+net.ipv4.tcp_syncookies=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv4.conf.lo.accept_redirects=0
+net.ipv4.conf.lo.send_redirects=0
+net.ipv4.conf.lo.accept_source_route=0
+net.ipv4.conf.eth0.accept_redirects=0
+net.ipv4.conf.eth0.send_redirects=0
+net.ipv4.conf.eth0.accept_source_route=0
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.all.router_solicitations=0
+net.ipv6.conf.all.accept_ra_rtr_pref=0
+net.ipv6.conf.all.accept_ra_pinfo=0
+net.ipv6.conf.all.accept_ra_defrtr=0
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.dad_transmits=0
+net.ipv6.conf.all.max_addresses=1
+
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.default.accept_source_route=0
+net.ipv6.conf.default.router_solicitations=0
+net.ipv6.conf.default.accept_ra_rtr_pref=0
+net.ipv6.conf.default.accept_ra_pinfo=0
+net.ipv6.conf.default.accept_ra_defrtr=0
+net.ipv6.conf.default.autoconf=0
+net.ipv6.conf.default.dad_transmits=0
+net.ipv6.conf.default.max_addresses=1
+
+net.ipv6.conf.lo.accept_redirects=0
+net.ipv6.conf.lo.accept_source_route=0
+net.ipv6.conf.lo.router_solicitations=0
+net.ipv6.conf.lo.accept_ra_rtr_pref=0
+net.ipv6.conf.lo.accept_ra_pinfo=0
+net.ipv6.conf.lo.accept_ra_defrtr=0
+net.ipv6.conf.lo.autoconf=0
+net.ipv6.conf.lo.dad_transmits=0
+net.ipv6.conf.lo.max_addresses=1
+
+net.ipv6.conf.eth0.accept_redirects=0
+net.ipv6.conf.eth0.accept_source_route=0
+net.ipv6.conf.eth0.router_solicitations=0
+net.ipv6.conf.eth0.accept_ra_rtr_pref=0
+net.ipv6.conf.eth0.accept_ra_pinfo=0
+net.ipv6.conf.eth0.accept_ra_defrtr=0
+net.ipv6.conf.eth0.autoconf=0
+net.ipv6.conf.eth0.dad_transmits=0
+net.ipv6.conf.eth0.max_addresses=1

files/sysctl.d/83-rpi-printk.conf

@@ -0,0 +1 @@
+kernel.printk = 3 4 1 3

files/sysctl.d/84-rpi-ASLR.conf

@@ -0,0 +1,2 @@
+# ASLR
+kernel.randomize_va_space = 2

files/xorg/99-fbturbo.conf

@@ -0,0 +1,6 @@
+Section "Device"
+        Identifier "Allwinner A10/A13 FBDEV"
+        Driver "fbturbo"
+        Option "fbdev" "/dev/fb0"
+        Option "SwapbuffersWait" "true"
+EndSection